How Threat Intelligence Strengthens Incident Response Processes (Part 2)

May 24, 2019 • The Recorded Future Team

This is the second blog in a three-part series in which Recorded Future examines how security teams manage their security incident response process. In the first blog, we highlighted the challenges that security teams face when trying to mitigate security incidents and how constraints force many teams into taking a reactive approach. In this second blog, we’ll discuss how threat intelligence minimizes incident response reactivity. We also outline the key attributes that a threat intelligence solution should possess in order to help incident response teams take a more proactive approach to mitigating vulnerabilities and defending against cyber threats.

Reactive Incident Response Processes

As discussed in our first blog, incident response is, by nature, reactive. Security teams respond when they become aware of internal vulnerabilities and external threats that put corporate information and digital assets at risk.

To alleviate the situation, the team(s) responsible for incident response must become aware of vulnerabilities, threats, and active attacks as early as possible. Only then can they minimize the amount of time spent in reactive mode.

This requires tapping into an advanced threat intelligence solution that accelerates the time to accurately identify and assess vulnerabilities, threats, and attacks, while also helping teams prioritize what threats to focus on remediating or mitigating first. In turn, the incident response team can avoid wasting time on low-level incidents and make sure they focus on high-level situations that represent the greatest risk to the business.

Strengthening Incident Response With Threat Intelligence

Threat intelligence minimizes the time that security teams spend in reactive mode by enabling several important capabilities:

  • Identifying and dismissing false positives or other irrelevant alerts automatically
  • Enriching alerts with real-time context across open web and dark web sources
  • Compiling information from internal and external data sources to identify and analyze genuine threats
  • Scoring threats according to an organization’s specific needs, infrastructure makeup, and in-the-wild details of the attack methods being used

With these capabilities, threat intelligence provides incident response teams with actionable insights to make faster and better decisions that matter. At the same time, threat intelligence helps reduce the tide of irrelevant and unreliable alerts that typically make incident response so difficult and overwhelming.

Key Attributes of Advanced Threat Intelligence

If your company needs to deploy an advanced threat intelligence solution that delivers on the capabilities discussed above, look for one with the following attributes.

Comprehensive

The solution must capture threat intelligence from the widest possible range of locations across open sources, technical feeds, and the dark web. Otherwise, your incident response team will be forced to continue to conduct manual research to make sure they do not miss anything important.

Relevant

The solution should also quickly identify and purge false positives generated by security-event detection, management, and response solutions such as security information and event management (SIEM) and endpoint detection and response (EDR). This includes identifying alerts that are relevant but inaccurate, as well as alerts that are accurate but not relevant. Both types can waste an enormous amount of time for your incident response team, potentially distracting and delaying them from responding to events and incidents that are actively impacting the business.

Contextualized

Among the alerts identified as relevant and accurate, some will be urgent, while others will not warrant a high priority. Context provides critical clues about which vulnerabilities could be the most damaging to the business if exploited, and which have been weaponized as real threats that are active in the wild and that will most likely have a major impact on your specific IT environment. For sufficient context, alert information must include corroboration from multiple sources that the same type of alert has been associated with recent attacks, and confirmation as to whether threats have been associated with the activities of cybercriminals.

Integration Plays a Vital Role

The ability for a threat intelligence solution to actually provide intelligence that is comprehensive, relevant, and contextualized to your needs depends heavily on the solution’s integration capabilities. Connecting threat intelligence with a range of security tools — such as your SIEM or EDR — will enable your incident response team to quickly determine if alerts should be dismissed as false positives. They can also assign a score and other related data points to each alert based on its importance and context.

Automated integration also eliminates the need to manually map and compare each alert to information in other security tools and filters out many false positives without any intervention by the incident response team. The amount of time saved is paramount. However, the amount of frustration this saves could perhaps the greatest benefit of an integrated threat intelligence solution as it helps to keep the team fresh and ready to respond when a critical incident appears. Your incident response team will be eternally grateful!

In our next blog, we will examine real-life use cases that demonstrate how threat intelligence reduces incident response reactivity. In the meantime, to see how Recorded Future integrates with the security solutions you already rely on, request a personalized demo today.