Mapping Threat Intelligence to Your Security Program Goals

Posted: 23rd October 2019

In mid-August, ransomware took down the IT systems of 23 local governments in Texas. Before that, the city of Riviera Beach, Florida paid $600,000 in Bitcoin to cover attacker demands. The FBI says 1,493 ransomware attacks were reported nationwide last year, with victims paying $3.6 million to cybercriminals.

As cyberattacks continue to make news on a daily basis, businesses are increasingly turning to threat intelligence platforms to protect their digital assets. Before starting that journey, consider your security program’s overall goals so you can map the security measures your organization requires to the appropriate solution.

Threat intelligence platforms integrate external information with alerts and data generated by internal security tools. This allows security teams to gain context around indicators of compromise on IT infrastructures, giving them a much-needed leg up when it comes to identifying and responding to threats and attacks. This technology integration extends beyond the tactical aspects of security management, as it can influence security policy, planning, and investment decisions. At the same time, incident response teams find threats faster, and vulnerability management teams can more easily prioritize risks.

Before starting the journey toward incorporating a threat intelligence platform into your security program, it’s important to identify your needs. Consider which teams in your organization will benefit the most. What types of threat intelligence should you focus on procuring and producing? Which threat intelligence solution will best fulfill these needs?

The NIST Security Goals Framework

For investments in threat intelligence to truly pay off, the intelligence must ultimately deliver benefits that map to your overall security program goals — otherwise, you may limit your investment’s return before you even implement it. While the goals will differ from company to company, a good starting point is the framework recommended by NIST.

As noted by NIST, these five goals represent the primary functions of a successful and holistic cybersecurity program. They aid organizations in easily expressing their management of cybersecurity risk at a high level and enable risk management decisions:

  1. Identify involves determining your IT risks and securing the necessary budget and resources to defend your digital resources. Your decisions should be based on the contextualized threat intelligence you collect. In addition to assessing internal IT risk, this goal should include analyzing the security competence of third-party vendors and any customers with which you exchange data. It’s critical to identify those that represent an elevated risk to your organization’s systems and data. It’s also important to bring in threat intelligence on the risks your competitors face because you likely face similar threats.
  2. Protect is about deploying the required security controls (technologies and processes) to defend your digital assets, and then validating that these controls align to the risks you identified. For example, controls should be applied to set up defenses against exploit kits, as well as undisclosed zero-day and embargoed vulnerabilities, as identified by your threat intelligence platform. You also need to safeguard against the exploitation of high-risk vulnerabilities in your technology stack.
  3. Detect revolves around your ability to block attacks before they impact digital assets. Threat intelligence helps by enabling you to identify and research the evolution and trends of malware families with high risk to your organization. In addition to identifying the security patches to apply, you will also gain intelligence on which systems are most susceptible and which are being actively targeted and exploited.
  4. Respond refers to how fast your security team reacts to breaches; even the strongest security postures do not offer a 100% guarantee that cyberattacks will not succeed. Threat intelligence assists in the response process by evaluating the data exposure and the digital asset damage your organization is facing. This can then be reported to all affected parties and stakeholders — not only for remediation teams, but also for non-technical personnel who may need to prepare for the impact on day-to-day operations and the potential impact on vendors, clients, and perhaps even the overall market in which you operate.
  5. Recover is all about how quickly the damage inflicted upon the organization’s technology stack and surrounding ecosystem can be mitigated, including any and all operations that must be restored as the security incidents are being closed out. Threat intelligence helps pinpoint the specific measures the security team should take in order to quarantine infected systems and inoculate the malicious elements coursing through the environment. The ultimate goal in the case of a breach, of course, is to quickly and safely restore the digital assets back to fully functioning systems with all security measures intact.

Threat intelligence data can also map to tasks handled by those that manage your organization’s security program. This includes data that identifies attack planning that could specifically target your organization and attack trends that identify campaigns targeting your industry in general. That data may also indicate an increased risk score for your particular infrastructure. A mature security management program is one that has a clear, informed view of their risk profile and is taking routine measures to mitigate that risk. In most cases, this requires integrated threat intelligence as part of the program.

Consider Reputation Risk

In addition to the IT risks, it’s important to leverage threat intelligence to measure the risks to your organization’s reputation. Consider the hit that organizations across all industries take when their digital assets are compromised. A damaged brand — even a partner’s damaged brand — can harm long-term client relationships and cause faith to diminish within the market segment.

Fortunately, certain solutions have already been proven to help solve this challenge. By utilizing Recorded Future, you can identify indicators of compromise associated with specific operations, campaigns, and threat actors. This makes it easier to effectively track and mitigate cyberattacks and make sure your valuable digital assets are always well-guarded.