Creating and Delivering Actionable Threat Intelligence

Posted: 3rd November 2015

Valuable threat data and information are sitting on the web – on Tor sites, IRC channels, forums, paste sites – and with enough time and resources, it can be found.

Getting to all this data manually, however, is next to impossible. Even with automated collection, the data is just data until it’s contextualized, organized, and allows the recipient to take some action, at which point it becomes intelligence. Creating and delivering threat intelligence presupposes a dedicated and concerted plan, which can be costly and complex.

During a live webinar with Recorded Future, Rob Kraus, Director of Research and Strategy for the Solutionary Engineering Research Team, explained what it means to take data, build a roadmap, and convert it into a useful threat product.

Kraus shared that getting an organization to a point where it can find, consume, and act upon threat intelligence is not impossible, but it requires detailed planning.

This foundational element of a threat intelligence program is building out your organization’s individual Priority Intelligence Requirements (PIRs): What are your threat intelligence goals? What threats/actors/exploits/leaked information are you looking for? What does your organization most need to protect?

PIRs must provide situational awareness into the threat landscape and help feed the business’s overall strategic goals. It’s particularly important that PIRs be evaluated constantly, as the business grows and the threat landscape evolves. Neither side is static, and therefore a set-it-and-forget-it mentality will turn your threat program into a wasted effort.

After setting the Priority Intelligence Requirements, the next step is to identify information sources and validate and apply confidence ratings to the usefulness and accuracy of those sources. A data source that supplies smoke and mirrors won’t help your organization achieve an improved risk posture.

Once the sources of valid data and information have been identified, an organization must have the capability to collect and store the raw data so that it can be processed and exploited in a way that allows the threat analyst to see interesting data.

At this point, the threat analysts should ask: Does the data support our PIRs? Is it useful? Is it actionable? Asking these questions allows the analyst to formulate an analysis and recommendations around emerging threats.

After all the seeking, collecting, organizing, and analyzing, the organization needs a mechanism to deliver the intelligence product to the appropriate people, be they the security team, IT teams, executives, the board, or partners. The delivery of the intelligence product is especially important because, as Kraus offered, “Intelligence without action is as valuable as not having intelligence at all.”

An effective threat intelligence program is actionable and allows the organization to understand threats, threat actors and their capabilities; identify risks before they’re realized; learn where exposed data may be lurking; mitigate attacks more effectively; and determine countermeasures and controls.

To listen to the entire set of recommendations, watch our free webinar. To learn how Recorded Future is helping fulfill the core elements of building a successful threat intelligence program by helping find, collect, organize, and correlate threat intelligence from the open, deep, and dark web, request a personalized demo.