Reduce Business Risk With an Effective Threat Intelligence Capability
October 25, 2016 • Amanda McKeon
Organizations today need to look beyond traditional data gathering to understand how to formulate a true risk strategy. Threat intelligence is a major component of a holistic risk strategy, as threat intelligence allows organizations to focus time and energy on the most likely threats that could affect the organization and disrupt business efforts.
During a recent webinar, Recorded Future’s Levi Gundert, Vice President of Intelligence and Strategy, was joined by Tom Parker, Chief Technology Officer of FusionX (an Accenture company), to discuss how organizations can utilize and operationalize threat intelligence most effectively, and how to tie threat intelligence to business risk.
Operational Threat Intelligence
Building an effective threat intelligence capability is complex and carries many associated challenges. Those challenges include aggregation of information from different yet reliable sources, ensuring all of the right information is stored in one centralized location, normalization of information, and formatting data so that it is lightweight and valid (not spewing false positives). Importantly, threat intelligence must be consumed in the right context, and provide the organization a clear understanding of associated risk.
Threat intelligence can come from many places, and to set a baseline Parker explained the two different types of data used for threat intelligence:
- Structured threat intelligence is the binary side of data; it may be formatted in JSON or STIX, and includes technical elements like indicators of compromise, indicators of attack, command and control infrastructure, telemetry, IP addresses, signatures associated with a protocol, email addresses, or payment card information.
- Unstructured data may include a description of an adversary or an assessment of the capability that an adversary might have. Unstructured data is generally subjective information that fleshes out and enriches technical data. This is the information executives or the board are often interested in so they can understand the softer aspects of an attack or adversary.
Gathered data are the building blocks of a threat intelligence program, not the end state. To be effective, organizations need to analyze the data with a constant focus on:
- When will I, or have I been, attacked?
- Who was the target within our organization?
- How was this person targeted?
- How did the adversary breach the organization?
Threat intelligence plays a huge role in this process. It increases the efficacy of network and host-based detection, allows the organization to simulate red team exercises, and affords the organization an opportunity to create better security controls at the operational layer, said Parker.
Separating the Wheat From the Chaff
Most organizations are drowning in data; data isn’t the problem. The problem is separating the wheat from the chaff and identifying information on adversaries, how they behave, timelines and likelihood of attack, and the tools and methods they use in those attacks.
Parker says his company wants a product that “does the heavy lifting,” of automated collection, aggregation, analysis, and contextualization. Manual collection processes or parsing all data contained in disparate systems like the SIEM, IPS/IDS, and firewall logs requires too much analyst time to analyze and identify accurate, actionable information.
Additionally, doing so doesn’t provide necessary context for the organization to be able to realistically answer: What’s going to happen? Who’s behind this? How are we going to fix this?
Further, Parker explained that, especially during the hunting process, organizations must be able to view a timeline of events and see what existed previously — maybe even before a potential threat was identified — to see how that threat is progressing.
Is activity building? Is it waning? Are patterns in attack tactics emerging?
Threat analysts can use this information to formulate a risk scenario, quickly inform response teams, and provide the intelligence to the security operations center (SOC), which can then act (or not) and feed its own found data back into the intelligence product.
This entire process helps with threat prioritization and triage, and keeps the organization working toward the same goal of risk mitigation.
Strategic Threat Intelligence
While a reliable, robust threat intelligence capability is critical to this process, Gundert said that organizations need to build strategic threat intelligence, that which incorporates the knowledge and skill of a talented threat analyst. “The best thing threat intelligence does is to really improve business decisions,” said Gundert, and that is best achieved when automation is combined with human analysis. A threat analyst converts intelligence into a risk analysis that enhances operational security, but the goal isn’t operational changes alone.
While operational changes are important, Gundert advised that the aim of a holistic threat intelligence program is to gain an “understanding beyond the operational significance … and build a risk profile for your organization.” True threat intelligence is about improving business decisions; it’s a process of risk analysis with a goal of decreasing operational risk. “That is the only thing the executive layer and the board cares about. Risk is not threat. Risk is not technology. Enterprise risk management is something that you fundamentally need to do but you can’t do it until you’ve done this process of analysis.”
Recorded Future helps you cut through the noise of data to identify real-time threats to your organization. To learn more, watch the on-demand webinar featuring Gundert and Parker.
For additional insight, watch this two-minute video: