ATI - Early Warning Getting Started Guide
What is ATI - Early Warning?
ATI stands for - Actionable Threat Intelligence. The important point of threat intelligence is to be proactive then reactive.
ATI - Early Warning is today what threats are being actively exploited in the wild and what threats are being weaponized by threat actors. ATI - Early Warning comes in the form of vulnerabilities / CVEs. ATI - Early Warning exists both in Intelligence center (IC), known as ATIC and within Armis Console, known as Early Warning.
Better Outcomes with ATI Early Warning.
If you knew a person would break into your building through your ground-floor window tomorrow, you would take this actionable intelligence and determine how to detect or prevent this from happening. This is the same concept of using ATI - Early Warning - if you know what the threat actors are doing, you would determine what to: patch, mitigate, detect, threat hunt, what features to enable in products, and if you need new security products to address these types of attacks.
ATI - Early Warning will help you be more effective and produce better outcomes across the organization. Doing less work and being a lot more effective. Concentrating on what threat actors are doing significantly reduces the risk of being compromised while reducing the amount of work effort in protecting the organization. Instead of concentrating on 1,000s of possible things a day, it allows you to focus on what is really being used in attacks. It’s like a Jedi-mind laser-focus that quickly allows you to stop your attacker.
Effective Value from ATI - Early Warning
ATI - Early Warning can be used in a number of ways.
Value in five minutes
You can get value from ATI - Early Waring in the first five minutes by:
Treat new entries added to ATI - Early Warning as critical CVEs. This makes it easy to determine what to patch, makes a junior analyst a senior analyst when using this list.
Trusted Advisor - instead of your department taking the blame for having to patch again, say that Armis said to patch; that’s our focus. We have big shoulders and are up to taking on this burden.
Uplift your internal threat intelligence team with the information in ATI - Early Warning.
For previous ATI - Early Warning entries, look within the Armis Console and see which vulnerabilities match.
Buy partner licenses and ensure these attacks are not compromising your supply chain/partner network. With ATI - Early Warning, you can integrate what CVEs your supply chain/partner network has patched using the processed visibility feature.
Value in 1-4 hours
ATI - Early Warning look at the CVE entries and determine which controls are the best way to defend against the threat. A lot of OT/IOT/Medical Devices cannot be patched so look at implementing different controls be it: some detections, mitigations, and preventions. Implement a control based on this information. For example, for a malicious URL, put in a block on a WAF/IPS, a security alert for the detection of this malicious URL (IDS, Devo, Splunk), determine if your EDR/MDR product would block this attack, or a patch to the software to prevent this bad URL from being effective.
Value in 1-2 days
For some attacks that don’t have flash alerts, there will need to be more investigation. Sometimes, it’s self-evident what the solution is. It may need to research what your security products provided compared to what the threat actor is exploiting.
Strategic Value
Get ahead of the game.
Some of the ways you can be strategic with ATI - Early Warning:
Be proactive, knowing a CVE is in ATI - Early Warning, plan downtime instead of reactive, and bring systems down during inopportune times.
Use the ATI - Early Warning information in an intelligence-driven cycle and gain as much intelligence from CEWL and your environment to make important changes to technologies, processes, structure, and people. Manage this information within the Armis console.
Use SOC tickets on what prevented/detected/mitigated compared to the CVE threats within CEWL - determine the effectiveness of the controls and see what to do about the breadth and depth of your security controls. Do you have too much in one area, not enough in another?
Some regulatory controls are coming into this space. Use ATI - Early Warning today so that you can meet these emerging regulatory controls.
Uplift your internal threat intel team when it comes to CVE Actionable Intelligence.
It’s hard to get and retain excellent security peeps. This information can uplift your team and help improve the outcome of less skilled personnel.
Set yourself up for success with ATI - Early Warning
To be successful in using ATI -Early Warning, you need to create a repeatable process. The process should also be designed to have some KPIs, such as how fast the new ATI - Early Warning entry is actioned and how long it took to process. Longer-term, you could also track how many: detections/preventions/mitigations/threat hunting was put in place due to ATI - Early Warning.
ATI - Early Warning in Intelligence Center (IC)
