The Struggle to Operationalize Threat Intelligence
February 21, 2018 • The Recorded Future Team
- Having heard of the benefits of incorporating threat intelligence into their security systems, many organizations jump into monitoring threat data feeds and try to make sense of them. But often, security analysts spend too much time on manual processes, causing organizations to struggle with turning cyber threat intelligence into insights.
- Good threat intelligence needs to be timely and contextual. Businesses that begin to use threat intelligence that is neither timely nor contextual find themselves either overwhelmed with streams of data on vague technical indicators, or left with the task of turning “news” into actionable intelligence.
- Threat intelligence solutions should be customizable to help produce threat intelligence that is contextual to the user and comes out quickly enough to take effective action. Customizable solutions should have the ability to filter, query, and add custom notes to threat intelligence feeds, making them more helpful across a broader set of use cases. They should also have the right analytics technology to make sure the intelligence produced is relevant to the needs of your organization.
The data and statistics that make up threat intelligence are often confused for intelligence itself, but they are really only the raw ingredients that must be cooked together to produce a palatable product. And similarly to preparing a good meal, creating quality threat intelligence takes more than just finding the right pieces — it must be delivered at the right time and to the right audience, and it should go down easy.
Good threat intelligence should make decisions about how to act on threats simpler, not more complicated. But because the quality of threat intelligence depends on its timeliness and context, as well as on the specific use cases it informs, what makes threat intelligence truly “good” varies from organization to organization. This means that to some extent, a threat intelligence solution needs to be customizable to be effective.
Time and Context
Threat intelligence is only good when it’s relevant, and it’s only relevant when it comes at the right time and provides proper context. A security alert notifying you that your network has been compromised is only actionable if it is timely — if the alert arrives a few days after the breach rather than while it’s taking place, the damage is already done. On the other hand, a security alert notifying you that a new type of malware has been identified may be relevant to you, or it may have nothing to do with the programs and systems your organization uses, meaning evaluating that alert was a waste of time for your analyst.
Because organizations not using threat intelligence must depend on their other security solutions to defend them against attacks that they are otherwise blind to, the first step that many groups take toward a threat intelligence solution is beginning to monitor feeds of threat data that can provide the element of timeliness. With access to threat data, organizations may be able to make quicker decisions about evaluating a suspicious IP address or domain, for example. But organizations that do so without the data being processed and analyzed in some way will find that they have no context and no way of discerning whether the data they’re looking at is a false positive, old, inaccurate, or irrelevant to their concerns.
Further, as organizations incorporate a growing number of data sources without sufficiently automating their analysis, they risk “alert fatigue.” Security teams in this position spend so much time on the manual labor of sorting out the good data from the bad that they more frequently make mistakes, or even, ironically enough, go back to making decisions without relying on data at all, because it is faster and easier to do so.
In terms of providing truly useful threat intelligence — analysis that is both timely enough to act upon and contextual to your organization — the answer is a threat intelligence solution that includes customization options. Threats come in all shapes and sizes, and the criteria that makes threat intelligence useful will vary not only from organization to organization, but also between the different groups within a security operations center of a single business. Security operations, threat hunters, and compliance professionals all use threat intelligence in completely different ways.
In a recent research paper, ESG recommended that customizable threat intelligence solutions should be able to create specific dashboards or enhance threat intelligence feeds with custom notes, whitelists and blacklists, risk scores, and so on. This ability to filter, query, and add notes to threat intelligence makes it easier to adapt it to the specific use cases that different parts of your organization have.
In the data collection stage, a customizable solution should easily incorporate and filter different feeds. That includes data from both open sources, like blogs, social media, news stories, and publicly available reports; and closed sources, like forums on the dark web. It’s relatively easy for threat intelligence solutions to organize binary data feeds to make them more consumable for analysts, for example, by arranging the data into a spreadsheet that includes context, like how recently an indicator of compromise appeared, or how many sources it was identified in. However the data comes, a threat intelligence solution should automatically sort and filter it, saving security analysts from doing the heavy lifting. But simple aggregation like that is of only limited usefulness.
Threat data should be processed into usable information with the right analytics technology. Such technology might include natural language processing, which more intelligently identifies patterns rather than blindly throwing out alerts every time a crawler stumbles over a flagged keyword, saving analysts the pain of dealing with false positives. Analytics technology should also be able to compare new data against a dataset unique to your organization so that it can better identify the specific vulnerabilities in your system.
One way that smart customization options can better help sort and filter data is by combining them with different narrative types to get a more complete picture. For example, a piece of binary data like an IP address taken from a threat feed might be combined with more information about a rogue domain, a recent sighting of that IP by a honeypot, and a tweet that suggests an attack might have come from it. A solution that is able to see the link between these disparate threads will provide far more context, allowing users to make more informed decisions.
This kind of investigation can be time-consuming for a human analyst to perform, so a customizable solution with advanced analytics technology that works fast enough for relevant alerts to come in real time can be a significant aid for analysts. Merging external cyber threat intelligence with your internal security telemetry will help you take remedial action more quickly and accelerate your investigations into potential or future threats.
To learn more about operationalizing threat intelligence, download your copy of ESG’s “Operationalizing Threat Intelligence With a Complete Solution.”