5 Practical Steps for Leveling Up Your Threat Intelligence
By Monica Todros on June 20, 2018
Editor’s Note: The following blog post is a summary of a webinar we hosted with Allan Liska, senior security architect at Recorded Future.
- When you’re building out a threat intelligence capability for your organization, it’s important to understand how it’s going to fit into the threat intelligence lifecycle.
- Data feeds alone tend not to be very actionable, whereas good threat intelligence is actionable and always being updated.
- Having the ability to synthesize and analyze disparate data sources in a normalized fashion can empower you to build a finished intelligence product.
These days, it seems like everybody is talking about threat intelligence — whether it’s already built into an organization’s program, being utilized as a separate product, or simply being considered as a solution, most security professionals see value in the potential benefits that threat intelligence can provide.
But with so many different methods of implementation, there are few organizations that have a firm grasp of how they can successfully “level up” their threat intelligence capabilities. By better managing the threat intelligence already available to them, organizations can achieve more effective utilization, says Allan Liska, who spoke on the topic during a recent webinar.
Liska is a senior security architect at Recorded Future with over 15 years of experience in information security, and he’s also the author of “Ransomware: Defending Against Digital Extortion.” During the webinar, Liska covered five practical tips that every security professional can go by to take their threat intelligence to the next level.
1. The Threat Intelligence Lifecycle
When first evaluating the use of threat intelligence in your own organization, Liska says to keep in mind that your end goal should always be around the mission (and security) of your organization. Threat intelligence isn’t something that’s done with the push of a button — the threat intelligence lifecycle is an ongoing process, and one that is built of six stages.
The six stages of the lifecycle are:
- Defining intelligence requirements
- Collecting data
- Processing data
- Analyzing data to build a finished intelligence product
- Distributing finished intelligence
- Getting feedback on the finished product
In the interest of keeping the mission of your organization in mind, defining your intelligence requirements should be the first step to building out a threat intelligence capability. However, before doing so, Liska says it’s critical to understand the information you require to protect your organization. The goal of using threat intelligence is to better secure the assets that are most valuable to your organization, whether that’s your customer data or your proprietary technology.
Once your requirements are locked down, it’s necessary to collect the data needed to meet these requirements. This may mean bringing in logs from multiple sources in your organization, as well as getting reports from vendors, government agencies, or other members of your same vertical.
After collection, processing the data by normalizing and correlating it provides a better synthesis of all your different data sources and enables you to build finished intelligence.
2. Data Feeds Versus Threat Intelligence
For those organizations that are just getting started with threat intelligence, many begin with data feeds because they’re simple and readily available. While data feeds can be expanded with information from other sources, they are not finished intelligence, Liska explains. Data feeds don’t provide context — they can be static, slow to update, and prone to false positives. With the amount of bad data and false positives analysts already have to sift through, data feeds can actually create more work for security teams.
Data feeds tend to be not very actionable, either. The picture of the internet changes rapidly — there are new vulnerabilities constantly being identified, new exploits being added, bad IP addresses being discovered, and so on. This constantly changing picture needs to be reflected in your threat intelligence, Liska says, by always bringing in new and updated information.
As far as false positives go, nobody is ever going to get rid of them all — that’s the nature of cybersecurity, Liska says. But with good threat intelligence comes relevant context, significantly reducing the number of false positives and allowing your organization to decide what’s relevant and what’s not.
3. Centralizing, Customizing, and Collaborating
There are many sources of threat intelligence — both internal and external — ranging from log data, to DNS records, to proxy data, as well as third-party sources. The challenge for organizations is that all of these sources live in different places.
All of the data that you consider necessary to build threat intelligence should be centralized in a single place, Liska explains. The more data that is centralized, the more efficient your team will be with not only producing finished intelligence, but also understanding what the real threats to your organization are, finding those threats faster, and stopping them.
Just as important as centralization is the customization of threat intelligence. Despite every organization having unique needs and priorities, most threat intelligence today is delivered in a “one-size-fits-all” format. Because organizations require specific threat intelligence to be successful, customization that extends not only to the type of threat intelligence that’s delivered, but also to where that threat intelligence is stored, is critical.
Whatever the final product looks like and wherever it’s kept, it’s likely that multiple teams within your organization with different needs will want to use it.
Collaboration is an important part of the threat intelligence cycle, but there’s the continuous challenge of figuring out how both your raw data and the finished intelligence is going to be shared between teams, and most importantly, with your customers. It’s critical to make the threat intelligence you are delivering to your customers simple to understand and make it easy for them to provide feedback in a way they are used to.
When it comes to integration, pooling threat intelligence into certain platforms of preference is extremely effective, Liska explains. It’s helpful to work with a threat intelligence provider that is willing to integrate with other platforms, ensuring your threat intelligence is where you need it and where it’s going to be useful for your team.
Some security teams integrate threat intelligence into multiple systems inside their organization; they may want a subset of their threat intelligence delivered into their incident response tool, SIEM, or endpoint platform. Integration is no longer just a matter of dumping threat intelligence into a single place, Liska says. Ideally, threat intelligence should be added into different parts of the organization to improve the overall security of your organization.
By feeding third-party intelligence into platforms of your choosing and then performing analysis across multiple sources, you can significantly cut down on false positives with the finished intelligence that is produced. The intelligence that’s delivered should be a reflection of the best of all of the collected sources, delivered in a single stream, and pushed out to wherever it needs to go from there.
5. Vulnerability Intelligence
When we think of threat intelligence, we often think of topics like IP addresses, domains, file access, and so on. But vulnerability intelligence can be just as important for protecting an organization, and it’s an area that’s often overlooked, Liska says. Identifying and patching vulnerabilities is a key component of any cybersecurity function, and identifying the ones that matter most to your business couldn’t be more vital to the success of your threat intelligence strategy.
Vulnerability teams can find hundreds of vulnerabilities at any given time, but the problem is, they don’t always control the systems that need to be patched and are often working within a limited amount of time. They need to know the best way to prioritize these vulnerabilities, and that’s where threat intelligence comes in.
Using an example from Recorded Future, a vulnerability report tied to a specific CVE can be observed in the Intelligence Card above. The vulnerability (CVE-2015-8651) has a risk score of 89 out of 100 because it triggered seven risk rules, including being historically linked to an exploit kit, making it a known vulnerability. When it’s added to an exploit kit and becomes commoditized, the risk score is raised — now, anybody who rents the exploit kit can potentially exploit this vulnerability, making it much more critical for an organization to patch.
For more details on the key threat intelligence use cases discussed here and how they can enable your organization to use threat intelligence more efficiently, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services” or watch a recording of the webinar on the same topic.