May 24, 2019 • The Recorded Future Team
This is the second blog in a three-part series in which Recorded Future examines how security teams manage their security incident response process. In the first blog, we highlighted the challenges that security teams face when trying to mitigate security incidents and how constraints force many teams into taking a reactive approach. In this second blog, we’ll discuss how threat intelligence minimizes incident response reactivity. We also outline the key attributes that a threat intelligence solution should possess in order to help incident response teams take a more proactive approach to mitigating vulnerabilities and defending against cyber threats.
As discussed in our first blog, incident response is, by nature, reactive. Security teams respond when they become aware of internal vulnerabilities and external threats that put corporate information and digital assets at risk.
To alleviate the situation, the team(s) responsible for incident response must become aware of vulnerabilities, threats, and active attacks as early as possible. Only then can they minimize the amount of time spent in reactive mode.
This requires tapping into an advanced threat intelligence solution that accelerates the time to accurately identify and assess vulnerabilities, threats, and attacks, while also helping teams prioritize what threats to focus on remediating or mitigating first. In turn, the incident response team can avoid wasting time on low-level incidents and make sure they focus on high-level situations that represent the greatest risk to the business.
Threat intelligence minimizes the time that security teams spend in reactive mode by enabling several important capabilities:
With these capabilities, threat intelligence provides incident response teams with actionable insights to make faster and better decisions that matter. At the same time, threat intelligence helps reduce the tide of irrelevant and unreliable alerts that typically make incident response so difficult and overwhelming.
If your company needs to deploy an advanced threat intelligence solution that delivers on the capabilities discussed above, look for one with the following attributes.
The solution must capture threat intelligence from the widest possible range of locations across open sources, technical feeds, and the dark web. Otherwise, your incident response team will be forced to continue to conduct manual research to make sure they do not miss anything important.
The solution should also quickly identify and purge false positives generated by security-event detection, management, and response solutions such as security information and event management (SIEM) and endpoint detection and response (EDR). This includes identifying alerts that are relevant but inaccurate, as well as alerts that are accurate but not relevant. Both types can waste an enormous amount of time for your incident response team, potentially distracting and delaying them from responding to events and incidents that are actively impacting the business.
Among the alerts identified as relevant and accurate, some will be urgent, while others will not warrant a high priority. Context provides critical clues about which vulnerabilities could be the most damaging to the business if exploited, and which have been weaponized as real threats that are active in the wild and that will most likely have a major impact on your specific IT environment. For sufficient context, alert information must include corroboration from multiple sources that the same type of alert has been associated with recent attacks, and confirmation as to whether threats have been associated with the activities of cybercriminals.
The ability for a threat intelligence solution to actually provide intelligence that is comprehensive, relevant, and contextualized to your needs depends heavily on the solution’s integration capabilities. Connecting threat intelligence with a range of security tools — such as your SIEM or EDR — will enable your incident response team to quickly determine if alerts should be dismissed as false positives. They can also assign a score and other related data points to each alert based on its importance and context.
Automated integration also eliminates the need to manually map and compare each alert to information in other security tools and filters out many false positives without any intervention by the incident response team. The amount of time saved is paramount. However, the amount of frustration this saves could perhaps the greatest benefit of an integrated threat intelligence solution as it helps to keep the team fresh and ready to respond when a critical incident appears. Your incident response team will be eternally grateful!
In our next blog, we will examine real-life use cases that demonstrate how threat intelligence reduces incident response reactivity. In the meantime, to see how Recorded Future integrates with the security solutions you already rely on, request a personalized demo today.