The Threat Intelligence Race to Improve Your Security Posture

Posted: 25th October 2017
The Threat Intelligence Race to Improve Your Security Posture

Threat intelligence can pay huge dividends in helping you protect your IT infrastructure and digital assets. Knowing what cybercriminals are up to and which forms of malware are lurking on the internet enables you to ensure your security posture is up-to-date and ready to defend against any malicious activity that might come your way.

However, the amount of threat intelligence that’s available can also be overwhelming. Not every threat pertains to your environment. Some threats only warrant a low priority in terms of the high-cost or high-effort mitigations that might apply. Still, you need to make sure you don’t miss anything that should get your full attention.

The 4 Types of Threat Intelligence

To help take on the challenge of parsing through all the data, it is important to understand the four categories of threat intelligence:

1. Tactical

Tactical threat intelligence is often referred to as tactics, techniques, and procedures (TTPs). This type provides information about how threat actors conduct attacks and is generally consumed by network defenders and the incident response staff to ensure that their defenses, alerts, and investigations are prepared for current tactics. As an example, attackers using tools to obtain clear-text credentials and then replaying those credentials through PsExec is tactical intelligence. This type of information can prompt defenders to change policy, prevent interactive logins by admins, or ensure logging captures the use of PsExec4.

2. Technical

Technical threat intelligence usually arrives in the form of raw technical data and is normally consumed through technical means. An example would be a feed of IP addresses suspected of being malicious or implicated as command-and-control servers. Technical threat intelligence often has a short lifetime, as attackers can easily change IP addresses or modify MD5 checksums; hence the need to consume such intelligence automatically, in as close to real time as possible. This type of intelligence also typically feeds the investigative or monitoring functions of a business, by blocking attempted connections to suspect servers, for example.

3. Operational

Operational threat intelligence includes information about specific impending attacks that target your organization. This type is initially consumed by high-level information security staff, such as security managers or incident response managers. In some cases — such as when the intelligence clearly indicates risk to the operation or reputation of the business — this information may prove valuable to the risk management team as well. The intelligence indicates which cybercriminal groups are planning an attack, when, and how. But such intelligence is very rare. In the majority of cases, only government organizations have access to attack groups and the infrastructure necessary to collect this type of intelligence.

4. Strategic

Strategic threat intelligence comprises high-level information in the form of reports, briefings, or conversations. Usually consumed by senior decision makers and support management teams, this type of intelligence can cover things such as the financial impact of cyber activity, attack trends, and areas that might impact high-level business decisions. An example would be a report indicating that a particular government is believed to have hacked into foreign companies that have direct competitors within their own nation.

Which types of tools you use and how many of each type will depend on your risk appetite, the current maturity level of your security posture, and the available resources your organization can apply to its threat intelligence activities — both in terms of people and technology. One way to approach the challenge is to divide the effort among different teams or individuals.

These types of intelligence are not just for the threat analyst. Security operations teams, incident responders, and vulnerability management functions can all apply, manage, and prioritize the intelligence they receive and then share with others as appropriate. Depending on the severity of a potential threat, intelligence may also need to be shared at the CFO/CEO or board level.

To improve your organization’s security posture, it’s best to use a combination of the above threat intelligence sources. While tactical information is important in the daily fight against cybercriminals, you need to plan strategically to know what might be coming in the next 6–12 months so you can proactively prepare your IT infrastructure.

Avoiding the Pitfalls of Collecting Threat Intelligence

The threat intelligence information you collect using the above sources must also be assimilated in a useful form and applied correctly. The following are five common reasons why threat intelligence often fails to protect organizations:

1. Misunderstanding the Value to the Business

Are business problems being solved by a particular threat intelligence feed, or did someone subscribe to the threat intelligence service because the data looks interesting and the charts look cool? If the intelligence isn’t tied to a business problem, chances are the service is a waste of money.

2. The Wrong Feed

There are many threat intelligence feeds available, so consider whether each source works effectively for you. Do you only need raw data or do you need processed intelligence? Is it drawn from public data, or private data shared anonymously by other organizations’ feeds? Also, be sure to minimize redundancy. Seeing the same threat reported on two similar feeds doesn’t make it twice as important.

3. Focusing on the Wrong Thing

Instead of just focusing on intelligence feeds, factor in your entire collection of information: internal data (threats, attacks, policies) as well as analyzed data (traffic/event monitoring, user/system activity blocking, rules/policy adjustments). Consuming intelligence on a regular, real-time basis is also critical. Just looking at the data once per week or expecting automated alarms to catch all the hazards won’t cut it.

4. Drowning in Too Much Data

Many cybersecurity professionals ignore security events and alerts because there’s too much to consume. They can’t keep up with the volume and end up with security data overload. Some of the causes include feeds that are intended for the wrong industries, the wrong types of companies, and even for inappropriately sized security teams. Another cause is redundancy — getting the same data from multiple sources.

5. Inability to Operationalize the Data

The majority of IT leaders say threat intelligence can prevent or minimize an attack, but they also are not satisfied with their current approaches because the information is not timely or is not well-categorized according to threat type or attacker. Threat intelligence alone does not trigger a response to a breach. The information security team needs to know what the nuances are, why they matter, and how to use the data to drive the necessary action.

Are You Running a Sprint or a Marathon?

When beginning the effort to consume threat intelligence, many businesses start by tapping into free feeds that provide tactical data such as lists of IP addresses to block, or command-and-control server attacks to watch out for. But this approach misses the big picture of thinking strategically.

Reacting to threat intelligence just to do it is not the right model. Simply because a threat feed is free doesn’t mean it’s a good investment of time — it could be resource-intensive and may generate a lot of false positives. It’s easy to act on the tactical and technical stuff, but it’s equally important to make the operational and strategic types of intelligence just as actionable.

Instead of handling the different types of threat intelligence in isolation, think of them as more of a lifecycle to run through. Apply the intelligence to security controls and balance how you react against your available resources and capabilities, as well as your appetite for risk and the maturity of your current security posture.

Before you start the race, you need to know whether it’s a 100-meter sprint or a marathon. That means tapping into strategic tools and also carefully considering how you will manage the magnitude of intelligence data that comes in.

For more information on utilizing threat intelligence sources to improve the security posture of your organization, read our white paper titled “Best Practices for Applying Threat Intelligence.”