June 5, 2019 • The Recorded Future Team
Threat intelligence can be a huge asset for a modern organization, but there are many stumbling blocks along the path of building a threat intelligence program, and many organizations make the same handful of mistakes.
To help you stay on the straight and narrow, here are eight rules you should follow to help you develop and maintain a strong in-house threat intelligence capability.
Deciding what exactly you need from a threat intelligence program is an essential first step. “Finding anything and everything that might be of interest to the organization” is not a plan — but it is a surefire way to get overcome with useless data and alerts.
Threat intelligence is a huge field, and trying to do everything will quickly overwhelm a fledgling team. Even established threat intelligence teams have to understand what they do and don’t have time to progress. Of course, what you need from threat intelligence will vary depending on your industry, geography, and the quirks of your specific organization.
To get you started, a key question to answer is, “What does the organization need in order to stay profitable?” Use this question to help you identify the top priorities for your threat intelligence program, and develop a formal mission for what needs to be achieved.
Threat intelligence is sometimes conceived of as a specialized domain that only elite analysts can make use of, but these days threat intelligence is useful to everyone, no matter what security function they work in or level of experience they have. For example, it can help you:
To get the most out of the threat intelligence you produce and consume, involve stakeholders from all areas of the business. Find out exactly how they could benefit from threat intelligence, what they need, what they want, and what format they’d like to receive it in.
Your threat intelligence program will live and die based on the quality of the people who populate it.
Skilled threat analysts are essential to interpret incoming alerts, deal with stakeholders, and communicate lessons learned. If you don’t have high quality analysts, no amount of spending on technology will save your threat intelligence program.
If you’re about to start down the path of building a threat intelligence program, check out this blog for more information about the types of people you’ll need to employ.
On the other hand, as important as people are, they can’t completely make up for bad technology or processes. In fact, having bad technology and processes in place will quickly drive off any high-quality analysts you manage to recruit.
In case you hadn’t noticed, there’s a lot of work available for skilled security practitioners.
The big lesson here is that simply subscribing to a bunch of threat feeds does not mean you’ll have a strong threat intelligence program. In fact, much of the time, this approach will lead to analysts becoming overwhelmed, dealing with large quantities of threat data that don’t provide the necessary context to take action.
Rather than going down this route, you need a threat intelligence solution that can do two things:
It always seems like knowing more stuff will help you make better decisions. After all, you don’t want to miss anything, right?
Unfortunately, there’s a limit. Human analysts simply can’t deal with the thousands of daily alerts they’re increasingly confronted with across security solutions. If you do take this approach, your threat intelligence program will quickly become little more than a war against false positives.
How do you avoid this? First, you need to vet your sources, because garbage in, garbage out. If a source provides one useful insight for every 20 false positives, it probably isn’t worth your time.
The right threat intelligence solution should be able to automate the back-breaking work of cross-referencing and confirming alerts before they are pushed to human analysts.
In Rule 4, we noted that there’s a difference between threat data and threat intelligence. In fact, there are three levels of input and output to consider: Threat data, information, and intelligence.
Threat data is available in massive quantities — it’s essentially a collection of contextless facts. A list of malware hashes is a common example of threat data.
Threat information is the result of combining a series of data points to answer a simple question. For example, comparing the hash of a specific file to a list of hashes that are known to be malicious may help an analyst answer the question, “Is this file malicious?”
Threat intelligence takes things one stage further by combining and analyzing a collection of threat data and information to produce an output (like a report) that can inform decision-making. For instance, analysis of data and information relating to malware (including hashes and firewall or email filter logs) might be used to determine whether an organization needs to invest more heavily in security technologies.
Not understanding the distinctions above is a primary reason why organizations invest resources in technologies that are not sufficient to enable a powerful threat intelligence function.
As we’ve already alluded, manual processes waste a huge amount of time. Whether it’s switching between windows, adding new rules to security technologies, or manually producing reports, even brief manual processes can end up consuming a lot of analyst time.
To avoid this, choose a threat intelligence solution that integrates with your existing security technologies, and can perform these otherwise labor-intensive tasks automatically.
At the Recorded Future User Network (RFUN) conference back in late 2017, Brian Scavotto, cyber threat intelligence manager at Fannie Mae, gave a presentation on how to build a threat intelligence team. Specifically, Scavatto detailed the importance of communication between a threat intelligence team and their various audiences.
In his words, “I went to the other teams, to our customers, and I asked them: What are we doing that’s stupid? What are we doing that’s valuable? What’s impacting your day-to-day work the most? What can we improve?”
And what did he discover? In many cases, his audiences hated receiving emails from his team. In particular, they hated the format of the emails they were receiving, and complained that the information they were receiving was often either too early or too late. Naturally, Scavatto used this information to radically improve the outputs his team was producing.
Communication is the single most important aspect of any threat intelligence function. You need to know if your audiences aren’t happy with what you’re providing. You need to know if something is a waste of time, or if an output needs to be in a different format. You need to know if an audience needs something new, or no longer needs something you’ve been providing.
You won’t be able to adapt to every request you get. Some of them may not even be reasonable. But you need to know these things so that you can adapt your processes and outputs accordingly, and maximize the value your organization gets from threat intelligence.
To get a taste of what modern technology can do for your threat intelligence program, sign up to receive free Cyber Daily emails. Let Recorded Future do the hard work for you by automatically scouring the entire web to identify new vulnerabilities and emerging threat indicators, including: