Connecting the Dots to Build a Threat Intelligence Framework

September 6, 2019 • The Recorded Future Team

As cybercrime costs continue to soar and cyberattacks increase in sophistication, security teams find themselves overwhelmed with security alerts. As a result, it’s difficult to prioritize mitigation efforts and much time is often wasted chasing false positives.

One way to solve this challenge is by building and incorporating a threat intelligence framework to streamline the collection, processing, and analysis of threat intelligence data. The resulting information gives security teams the ability to focus their mitigation efforts on the threats that can do the most damage to the company’s digital assets.

In this blog, we take you through the core steps for building a threat intelligence framework.

Rising Cybercrime Highlights Need for Threat Intelligence

The global cost of cybercrime is estimated to be $600 billion according to a 2018 report published by the Center for Strategic and International Studies (CSIS). That’s nearly 1% of the global GDP and has grown almost 35% (from about $445 billion) since 2014.

Stats like these demonstrate how cybercriminal activity continues to increase rapidly. Attacks impact businesses of all sizes and are becoming more sophisticated, making them more difficult to detect. Security teams can also find themselves deluged with data coming from various internal and external threat detection tools.

In addition to identifying and mitigating legitimate major threats, another challenge is managing the overwhelming number of security alerts. Many of them are false positives and threats that present little impact to the business. Security teams frequently waste time chasing threats that may have little impact on the business or won’t result in major consequences even if the threats materialize. This, of course, takes away precious time the team could be spending on detecting attacks that could bring the whole infrastructure down.

That’s why it’s vital to design and deploy an effective threat intelligence framework. Only then can security teams be presented with the information necessary for them to focus their efforts toward protecting the company’s most critical digital assets.

Set Objectives Before Building Your Threat Intelligence Framework

To help you connect the dots to build a threat intelligence framework, first assess your entire IT environment. With this view, you can then apply some business analysis to the picture to find out what your security team is hoping to accomplish by using threat intelligence within your overall security program, mapped to your environment:

  • Document all systems, data, and other digital assets that must be protected.
  • Analyze the risk to the business if those assets were to be compromised.
  • Determine how threat intelligence can help identify the threats posed to those assets such that the team can begin to protect those assets.
  • Identify specific threat mitigation tactics that intelligence can facilitate.

Key areas in which threat intelligence can help with this model include the following use cases:

It’s critical to determine which objectives are important to your company before building your threat intelligence framework. Completing this activity will also help you identify the type of internal and external data feeds you need to tap into.

A Foundation for Your Threat Intelligence Framework

After setting your objectives, you can begin to categorize the tools your security team will need across the primary threat intelligence framework categories: collection, processing, and analysis.

Collection: Ingesting Threat Data from Internal and External Sources

Information collection can occur through multiple channels. The data collected will typically be a combination of finished information, such as intelligence reports from cybersecurity experts and vendors, along with raw data, like malware signatures or leaked credentials on an open source intelligence paste site.

Ideally, you will collect multiple internal and external sources of intelligence composed of a multitude of data sets to get a complete picture of potential and actual threats:

  • Firewall logs
  • Router logs
  • Network packet capture tools
  • Vulnerability scans
  • Vulnerability databases
  • Threat data feeds
  • Traditional media outlets
  • Social media posts
  • Cybersecurity forums and blogs
  • Dark web forums

Using as many, if not all, of these resources is key. The absence of any one source can slow down investigations and cause gaps in remediation. Using them incorrectly, as we’ve discussed in the past, can also turn lead to additional challenges.

Processing: Turning Data Into Useful Information

Processing transforms the collected data into a format usable by both the security team and other teams throughout the organization. Almost all raw data collected needs to be processed in some manner, whether by humans or machines. Different collection methods often require different means of processing. Different data structures can force common mappings to be applied across multiple data sets as well. Human reports may also need to be correlated and ranked, de-conflicted, and then checked.

An example might be extracting IP addresses from a security vendor report and adding the addresses to an Excel file for importing to a security information and event management (SIEM) solution. Processing might also involve extracting indicators from an email, enriching them with other relevant information, and then communicating with endpoint protection tools for automated blocking of attacks.

Analysis: Turning Information Into Actionable Intelligence

Analysis by humans turns processed information into intelligence that can inform decisions; the goal is to make the decisions as fast and as accurately as possible. Depending on the circumstances, the decisions might involve whether to investigate a potential threat, what actions to take to block an attack, how to strengthen security controls, where to implement new controls, or whether or not investments in additional security resources are justified.

The analysts must have a clear understanding of who is going to be using their intelligence and what decisions those people make; what matters to them is what matters to the business. The form in which the information is presented is especially important. It is useless to collect and process information and then deliver it in a form that can’t be understood and used by both the operational teams and the business decision-makers.

Some intelligence may need to be delivered in a variety of formats for different audiences, such as a live video feed for immediate action in a sprint or in a slide deck presentation for monthly or weekly planning session. But not all intelligence needs to be digested via a formal report. Successful threat intelligence teams can also provide continual technical reporting to other security teams with external context around IoCs (indicators of compromise), malware, threat actors, vulnerabilities, and threat trends.

The Ability to Defend Your Digital Assets

By building a threat intelligence framework, your security team will become more proficient at uncovering and investigating new threats and techniques. They can also better identify new attack patterns, external adversaries, indicators of compromise, and other malicious behavior that could otherwise go undetected.

And with a threat intelligence program integrated as part of your company’s larger information security management program, the security team will gain access to more information about threats more quickly. This will give them the ability to proactively and assertively defend your digital assets — so the business can continue to operate as designed and desired.

To learn more about how Recorded Future can help you proactively defend against cyber threats, request a personalized demo today.