Building a Threat Intelligence Framework to Defend Against Cyberattacks

Posted: 14th November 2017

Editor’s Note: The following blog post is a partial summary of a SANS webinar we co-hosted with Dave Shackleford.

Cyber threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information. With thousands of potential data sources, generating true threat intelligence to combat cyberattacks must be a combination of the right technology and the right people.

To effectively analyze all the threat data that’s available, security teams also require a framework to process all the information that flows their way. They then need put that data into proper context to react appropriately.

Building a threat intelligence framework is just as much about identifying and mitigating legitimate major threats as it is about avoiding false positives and threats that would otherwise present little impact to the business operations. The last thing you want is to have your information security team waste valuable time chasing a threat that won’t result in major consequences, taking them away from the possibility of detecting an attack that could bring the whole network down.

Goals Before Data

As a starting point to building a threat intelligence framework, put aside, at first, thinking about the data you need from cyber threat intelligence feeds and the sources for that data. Begin rather by determining the goals of your program:

  • What systems, data, and other digital assets must be protected?
  • How do you anticipate threat intelligence will help protect those assets?
  • With which specific tactics are you expecting intelligence to help?

The answer to this last question might be to block attacks, streamline incident responses, facilitate vulnerability management, reinforce compliance, or to help with some other area of security operations. Perhaps you want threat intelligence to assist in all of these areas. It’s critical to understand the goals before selecting and ingesting threat intelligence data.

Threat Intelligence Framework Tools

Taking it a step further, the answers to all of the questions above will help direct you towards the type of data feeds you need to collect. From there, you can then categorize the framework tools the information security team will need at its disposal. These tools typically fall into three main categories:

  • Collecting: Ingesting threat data from the right sources.
  • Processing: Turning the data into useful information.
  • Analyzing: Turning the information into actionable intelligence.

As the information security team works its way through these three stages, the volume of data to handle will decrease, while the value of the data will increase. With less noise and false positives to deal with, the team can better prioritize its activities, focusing on what matters.

All three components require utilizing the right technologies and the right forensic expertise. When armed with the right intelligence, skilled resources can intervene to detect and prevent threats before they do any damage. If any threats breach the digital infrastructure, the combination of intelligence and expertise can serve to mitigate the damage. Here are some examples of cyber threat intelligence resources:

  • Forums (both hackers and researchers)
  • Paste sites (leak and breach posts)
  • Blogs and social media (security community)
  • Real-time alerts (changes to tactics, techniques, and procedures)
  • Threat deeds (open source feeds number in the hundreds)
  • Dark web collection (TOR pages, IRC channels)
  • Code repositories (malware code, vulnerability databases)
  • Technical collection (Shodan RAT controllers, Google dorking, GEO IP)

The Cyber Threat Intelligence Payoff

By building a threat intelligence framework, your information security team will gain the ability to act quickly (before attacks occur) and to put threats into context. Just how big is the threat, and is it time to put all hands on deck?

The team will also become more proficient at uncovering and investigating new threats and techniques, as well as identifying new and interesting attack patterns, external adversaries, indicators of compromise, and malicious behavior that could otherwise go undetected.

Threat intelligence can also be integrated with your existing information security technologies and processes. With meaningful and contextual integrations in place, organizations gain the confidence that they can make informed decisions faster.

Proficient, informed decision making is the name of the game. With a threat intelligence program integrated as part of a company’s larger information security management program, security teams will know more about the threats quickly, giving them the ability to defend their organization much more proactively.

To find out how you can build a framework with threat intelligence from billions of data points in multiple languages from technical, open, and closed (dark web) sources, request a personalized demo today.