Democratizing Threat Intelligence With Our New Handbook
October 11, 2018 • Chris Pace
- Threat intelligence can bring advantages to an array of different security functions.
- There’s a difference between producing intelligence and applying it.
- Recorded Future’s new book, “The Threat Intelligence Handbook,” gives practical steps to applying threat intelligence across all of security.
Just as with any book, during the process of writing “The Threat Intelligence Handbook,” we had to make a decision about who it was going to be for. In thinking about the kind of people who could gain the most from a book introducing threat intelligence, we came to understand that it really was for anyone working in security.
This idea that threat intelligence doesn’t need to be the preserve of specialized analysts and dedicated teams is one that we’ve been hearing from our customers for some time. But there is a quite distinct difference between the analysis and production of threat intelligence and its application for better security.
That’s why we want to democratize the use of threat intelligence. A healthy democracy requires the universal participation of well-educated and passionate citizens; in the same way, security teams of all stripes not only will benefit from, but have something to contribute to, the development and sharing of threat intelligence. Just as poor education and low participation in civil society leads to power becoming agglomerated into the hands of a few, keeping threat intelligence confined to the hands of a cabal of experts means that many people in an organization who would benefit from it are cut off from that key bit of knowledge.
4 Ways Threat Intelligence Can Be Made Consumable
We’re not saying that every security professional has the time or inclination to collect from sources, analyze the information, and produce intelligence. This work is where threat intelligence experts come into their own. We are sure, however, that security teams at large can make the most of available intelligence as they look to make decisions around threats and risks.
What external intelligence gives is context, and that context is what ultimately makes for more confident judgments when dealing with risk, whether you’re a security analyst with deep technical experience or an executive who needs to make broad, impactful decisions about the future of your organization.
The handbook gives advice on the best ways to make that information consumable for these teams that don’t have expertise in the analysis and production of intelligence. We’ll look at a few ways (e.g., alerting, integrations, enrichment, and reporting) that a more complete threat intelligence solution can transform raw and disconnected threat data feeds into timely, contextual intelligence.
Automated and well-tuned alerting to relevant intelligence helps security professionals avoid the “alert fatigue” that’s becoming increasingly common among analysts who have to manually review hundreds, if not thousands, of alerts regularly. Threat intelligence solutions that add context to alerts reduce the number of false positives and rank them by severity, allowing analysts to cut right to the most critical work. Alerting also proves useful for notifying businesses of potential breaches like credential compromise or data for sale on the dark web.
Automation like this is democratic for two reasons: it frees up analysts to focus on work that matters rather than be siloed away in a narrow “alert-react” mindset, and it lowers the level of expertise needed to effectively perform this role, allowing greater numbers to participate in the process.
Many threat intelligence solutions can integrate into security systems you already use. Integrating contextualized intelligence massively increases visibility for the teams that use those solutions. One example of this would be correlating internal logs, data, or alerts with indicators of compromise seen from external sources like threat feeds, technical sources, social media, and so on.
This sort of integration means you don’t have to ditch the systems that you’re already using and learn new ones, and more diverse sources lead to a more complete picture — both contribute to the goal of “well-educated citizens” at your organization.
To make security decisions confidently when responding to an alert or incident, you’ll need to be armed with context. Some threat intelligence solutions have the ability to automatically connect the dots between disparate sources, identifying patterns in things like the tactics, techniques, and procedures (TTPs) of threat actors. Consumable intelligence enables individuals and teams to rapidly enrich indicators from internal alerts with external intelligence, ideally in a single view. It’s a bit like giving people the facts they need to make informed voting decisions in civil society.
All this leads to better reporting, which is really the end result of most cycles of threat intelligence development. Finished intelligence reports are crafted by expert threat intelligence analysts and are designed to be highly relevant to your organization, including the technologies you use, specific industry verticals, or areas of increased risk. The benefit of reports like this is that they allow you to get useful intelligence on demand to see a more complete view of your current threat surface.
The work of producing effective reports requires time and expertise — something that humans are still much better at than machines. But when the analysts on your team are so caught up in the menial work of responding to alerts and trying to gather information themselves, they’re left with less time and energy to write good reports. The right threat intelligence solution should change that.
Threat Intelligence Use Cases
We go into these topics and more in much greater depth in our handbook. For example, we also break out chapter by chapter the roles that have the most to gain from applying threat intelligence, and we look closely at how to focus your efforts and increase participation in each case. These roles include security operations, incident response, vulnerability management, and more. There are also huge advantages that those who lead security and risk teams can see from getting timely and relevant threat intelligence to inform decision making in their security strategies.
Download “The Threat Intelligence Handbook” now and get practical steps on how to democratize your organization’s use of threat intelligence as part of your security strategy.