Making the Most of Threat Intelligence
In most cases, gaining access to threat intelligence isn’t overly challenging for organizations as many cybersecurity vendors and service providers offer threat intelligence feeds. However, having access to data is not the same as using it effectively. Building a mature threat intelligence program is a multistage process, and understanding this process is essential to evaluating an organization’s current maturity level.
Stage 1: Collecting Threat Intelligence Data
The first step in building a threat intelligence program is gaining access to a usable set of threat intelligence. An organization with a mature cybersecurity program can (and should) generate their in-house threat intelligence that is specific to their business. This typically comes from network data such as event logs, DNS logs, firewall logs, alerts, and incident response reports.
Internally generated threat intelligence is only half of the solution, since an organization can only generate threat intelligence after they have experienced a security incident and collected the appropriate data. Using threat intelligence proactively requires a wider field of view. Several large cybersecurity vendors possess global visibility and provide threat intelligence subscriptions based upon their analysis.
Stage 2: Asking the Right Questions
In many cases, the challenge with threat intelligence data is not having too little data, but too much. A combination of simple actions such as subscribing to threat intelligence feeds and compiling incident response and forensic investigation data, can easily overwhelm an organization.
It’s important to keep in mind, however, that much of this data is of little or no value to the organization. For example, an organization in the manufacturing sector is unlikely to be targeted by threat actors seeking healthcare records. Conversely, medical institutions rarely need to defend against attacks geared towards the exploitation of industrial control systems.
Threat intelligence is only useful if it provides value to the organization. When selecting sources of threat intelligence data, it is essential to consider business needs and need-to-know.
At this stage of the process, an organization should work to develop criteria to filter out useful intelligence from useless noise. According to Tom Kish, Senior Marketing Lead at Cyware, “Automation is key to prioritizing and making intelligence actionable. You need to ensure that the right data reaches the right stakeholder before it expires and without letting vital data get lost in the noise.”
Stage 3: Integrating Threat Intelligence
A large percentage of threat intelligence is designed for immediate use. It includes information such as malicious IP addresses, domain names, and signatures of known malware or malicious content.
The velocity of the cyber threat landscape is accelerating, and in many cases, threat intelligence can “go stale” within hours. After building a collection of carefully selected threat intelligence sources, the next step is to integrate these sources into an organization’s existing security deployment.
By automating threat intelligence collection and integration, an organization can ensure their security solutions are operating based upon the latest threat data. This helps the solutions identify and block threats based upon threat intelligence before they enter the network.
Stage 4: Understanding Threat Intelligence
Proactive defense is not the only application of threat intelligence; sometimes threat intelligence arrives too late to be useful. In other cases, threat intelligence is designed to be more high-level, focusing on the tools, techniques, and capabilities of threat actors rather than the signature of an attack.
Learning to understand and interpret threat intelligence is the next stage in the maturity process. Threat intelligence can be used as input into threat hunting activities (i.e. identifying if a threat is present on the network or designing defenses for a specific technique). Threat intelligence should also be used as an input in incident response activities, since knowledge of the most recent cyber threats can expedite identification and remediation of an incident.
Stage 5: Creating Strategic Threat Intelligence
Finally, threat intelligence can be used at the strategic level. Threat intelligence can reveal trends in the cyber threat landscape, which are often outlined in cybersecurity vendors’ quarterly or annual reports. Information about historical attacks against the organization can help to categorize the types and frequency of attacks, which could indicate a change in attackers’ strategy.
All of this information is valuable input into an organization’s risk management and strategic planning initiatives. Threat intelligence can highlight gaps in an organization’s network visibility and security architecture, providing guidance on where additional investment is needed. Similarly, intelligence about current and upcoming threats can be used to refine cybersecurity awareness training and other initiatives to better prepare employees to protect themselves and the organization against attack.