Operational Intelligence Gets Smart: Why Strategy Needs to Be at the Core of Your Threat Intelligence Program
By Greg Barrette on December 1, 2015
A world-class threat intelligence program is driven by an overarching strategic business plan that incorporates calculated analysis of threats to the business.
Working with the operational data provided by external threat sources or proprietary efforts, threat analysts, “identify current and future information security threats to the business’s strategic assets. They achieve general attribution to answer the ‘who, how, and why’ for any given attack; they dissect attack tools, techniques, and procedures (TTPs); they evaluate attacker TTP relevance and impact in the business context; and they identify opportunities to make high level security architecture changes that will make a large impact on adversary’s ability to successfully leverage specific TTPs,” writes Recorded Future’s Levi Gundert in his white paper, “Aim Small, Miss Small: Producing a World-Class Threat Intelligence Capability.”
There’s no substitute for a skilled and talented analyst. When developing threat intelligence programs, many enterprises overlook the importance of the human element, instead choosing to focus on the automated sorting and processing of data. No doubt automation is an integral piece of threat intelligence and is far superior to manual data collection, processing, and correlation.
To really understand the threat landscape, however, only a threat analyst can truly make the connections:
- Why is certain data recurring?
- What does that data indicate?
- How might it impact the enterprise?
- When might any adverse effects occur?
- Who, potentially, is perpetrating the attacks?
Hitting Your Target
Strategic analysis involves sorting through many layers of information – from general threats that may affect all industries, narrowed down to the most important assets a business needs to protect: its strategic business assets (which, of course, will be unique to every enterprise and pre-determined jointly with business leaders) – to get to those answers above. “Since IOCs are automatically processed in the operational workflow,” writes Gundert, “analysts are able to focus on building external relationships, [examining information from] proprietary information sources, adversary attribution, trend identification, employee and customer education, internal hunting, attacker TTPs, and corresponding defensive architecture recommendations.”
As Gundert explained during a recent webinar, the threat analyst relies on accurate and actionable data to effectively provide the “who, how, and why.” S/he can be even more accurate in his or her assessments with the supplementation of data from external resources, when others in the organization are security-aware, if the proprietary information sources provide deeper insights to which business assets might be threatened, etc.
To learn more of Gundert’s detailed recommendations on how to create your own strategic threat intelligence process, download his new white paper today.
If you have more questions still, contact us to learn how Recorded Future supports your strategic threat intelligence goals.