Act on exposed entities

Exposure shows you how your organization uses ingested intelligence to drive risk management processes.

When Intelligence Center entities are flagged as exposed, your organization is not actively leveraging available cyber threat intelligence (CTI) to drive effective courses of action. Intelligence is either underutilized, or it is ignored.

Exposure helps you assess how your organization uses and leverages CTI: how is CTI affecting the organization? Is the organization using CTI to drive processes to detect, deter, and defeat attacks and to minimize risk? What is working well, and what can be done to improve intelligence utilization in the organization’s risk management practices?

Exposure provides a user-friendly overview that helps you answer these questions by showing you how your organization uses existing CTI, and what it can do to use CTI more efficiently.

View exposure

Exposed entities are ingested and processed. However, their intelligence value is not leveraged to drive follow-up actions.
For example, triggering a detection event in a malware detection application downstream in the system; or a prevention event such as creating a firewall rule; or a community event such as sending a notification message to inform other parties about the possible threat the entity represents.
Exposed entities hold intelligence value that is not consumed.

You first need to configure Exposure to specify the filtering criteria the Intelligence Center should apply when flagging entities as exposed.
After defining the exposure settings you can view exposed entities, based on your configuration.

To view exposed entities, do the following:

  1. In the left navigation bar, go to Exposureimages/download/attachments/86441036/exposure.svg-x24.png .

  2. On the Exposure view click the Entities tab to display an overview of all currently exposed entities.
    You can sort the items on the view by column header. To do so, click the column header you want to base the data sorting on. An upward-pointing or a downward-pointing arrow in the header indicates ascending and descending sort order, respectively.

  3. To toggle quick filter visibility click images/download/attachments/3604538/filter.PNG .

  4. On the left-hand navigation sidebar click a filter group name to expand the corresponding sub-nodes:

    1. Entity: select one or more checkboxes to view exposure details for the specified entity types.

    2. Date: select a time interval to view exposure details for the entities ingested between the specified start and end dates.

    3. Dataset: select one or more checkboxes to view exposure details for the entities belonging to the specified datasets.
      The Dataset filter is not available when the results do not include any entities belonging to at least one dataset.

You can stack and combine filters as you need.
For example, you can create a filter to view exposure details for indicators belonging to the X, Y, and Z datasets, ingested in the first half of last month.

The Exposure view shows the following exposure-specific information:

  1. Exposed: indicates that the entity is exposed, that is, it is not used in any detection, prevention, or community integrations or processes.

  2. Detection: the entity and the intelligence value it holds are being consumed in an integration with an external system. In this case, with a detection system.
    If the dot is green, the entity information is used to carry out a follow-up action.
    It can be a detection follow-up — for example, it can trigger adjusting the settings of a malware detection application accordingly.
    It can be a prevention follow-up — for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names.
    Or it can produce a community follow-up — for example, creating and publishing a report to notify other parties about the possible threat the entity represents.

  3. Prevention: the entity and the intelligence value it holds are being consumed in an integration with an external system. In this case, with a prevention system.
    If the dot is green, the entity information is used to carry out a follow-up action.
    It can be a detection follow-up — for example, it can trigger adjusting the settings of a malware detection application accordingly.
    It can be a prevention follow-up — for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names.
    Or it can produce a community follow-up — for example, creating and publishing a report to notify other parties about the possible threat the entity represents.

  4. Community: the entity and the intelligence value it holds are being consumed in an integration with an external system. In this case, with an information distribution system.
    If the dot is green, the entity information is used to carry out a follow-up action.
    It can be a detection follow-up — for example, it can trigger adjusting the settings of a malware detection application accordingly.
    It can be a prevention follow-up — for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names.
    Or it can produce a community follow-up — for example, creating and publishing a report to notify other parties about the possible threat the entity represents.

  5. Sighting: a warning icon means that the entity has been seen in a secured domain, and there should be a sighting entity recording the occurrence.

  6. Click the refresh icon to refresh and update the view.

If an entity has been sighted — — it is by default exposed, regardless of any integration with external detection, prevention or information distribution systems.


Configure exposure

You can configure Exposure to be as generic or as specific as you need:

  1. In the left navigation bar, go to Exposureimages/download/attachments/86441036/exposure.svg-x24.png .

  2. On the Exposure view click the Settings tab, and then Edit exposure settings to modify exposure behavior.

On the Edit exposure settings configuration view you can select which entity types you want to watch for exposure:

  • Entity types: from the drop-down menu select one or more entity types to include in the exposure configuration.
    The Intelligence Center starts tracking the entity types defined here to assess their exposure, that is, to check whether the organization is leveraging the intel value of the tracked entities by routing the data to detection (for example, a IPS) or prevention (for example, a firewall) systems, or by sharing the information through outgoing feeds or published intel reports.
    Sightings are by definition indications of exposure.

  • Entity age: it defines a time interval in days, ranging from now, that is, the current time, to a point in the past.
    It is an integer.
    The Intelligence Center tracks for exposure only the entities inside this range, that is, the entities that are not older than the number of days specified here.

  • Click Save to store your changes, or Cancel to discard them.

After configuring exposure behavior, you should configure which outgoing feeds should share and distribute exposure information to external systems and devices, so that the data can trigger appropriate actions and responses as part of a concerted course of action.

  1. On the top navigation bar click Intelligence > All intelligence > Exposure.

  2. On the Exposure view click the Outgoing feeds tab to display a list of all the currently configured outgoing feeds for the Intelligence Center.

On this view you can map outgoing feeds to the purpose they serve in the context of an integration with external systems and devices.
For example, if you are publishing an outgoing feed to an external detection system, the feed data stream is used to detect potential threats.

Within exposure an unused outgoing feed, or a wrongly mapped outgoing feed — for example, an outgoing feed marked as Detect, but used to distribute CTI to a relevant community, instead — is flagged as exposed.

For each outgoing feed in the overview, you can select an option to map feed usage to the purpose it should accomplish in the context of risk mitigation:

  • Detect: the outgoing feed publishes content to an external detection system.

  • Reactive de-risking: the feed data is used to detect potential threats that have infiltrated your organization.

  • Prevent: the outgoing feed publishes content to an external prevention system.

  • Proactive de-risking: the feed data is used to prevent potential threats from attacking your organization.

  • Community: the outgoing feed publishes content to an external information distribution system.

  • Knowledge sharing: the feed is used to share CTI with other parties within or outside the organization.

  • N.A.: the outgoing feed does not publish to any external system.

Override exposure

You can manually override the configured exposure settings for an entity. The Override exposure option enables reversing the Detection, Prevention, and Sighting exposure values, and setting them to their corresponding opposite values.

To manually change the exposure state of an entity do the following:

  1. In the left navigation bar, go to Exposureimages/download/attachments/86441036/exposure.svg-x24.png .

  2. On the Exposure view click the Entities tab, and then click the dotted menu icon on the row corresponding to the entity whose exposure settings you want to override.

  3. From the context menu select Override exposure.

  4. On the Override exposure state tab on the dialog, select Override exposure state to ON to enable override and to reverse the current exposure value of the selected entity for Detection, Prevention, and Sighting.

  5. You can optionally specify a start date for the override to become effective: from the drop-down menu select select the desired start date.

  6. Click Save to store your changes, or Cancel to discard them.

An entity exposure override history is stored in reverse chronological order, based on the time when the override change was applied.
To view the exposure override history of an entity do the following:

  1. In the left navigation bar, go to Exposureimages/download/attachments/86441036/exposure.svg-x24.png .

  2. On the Exposure view click the Entities tab, and then click the dotted menu icon corresponding to the entity whose exposure override histroy you want to view.

  3. From the context menu select Override exposure.

  4. On the dialog, select the History tab to view the change chronology.

After confirming and saving a manual exposure override, the override value persists until new content is generated, and the entity is updated.