December 20, 2018 • Zane Pokorny
Editor’s Note: Over the last few months, we’ve been sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the ninth chapter, “Your Threat Intelligence Journey.” To read the full chapter, download your free copy of the handbook.
One of the themes we’ve focused on throughout our book is how versatile threat intelligence can be. Threat intelligence can be as simple and immediate as some quick context around an indicator of compromise on your network, or as broad as a report meant to influence policy at an organizational level. Many of the chapters of this book are spent looking at the various ways different security teams can apply threat intelligence — how it helps incident response teams find threats faster, vulnerability management teams prioritize risks, and security leadership make planning and investment decisions, to name a few.
What this suggests is that anyone starting on a journey toward incorporating threat intelligence into their security program needs to have their final destination in mind before they take their first step. What teams in your organization will benefit the most? What are the types of threat intelligence your organization should focus on producing? And what threat intelligence solutions will best fulfill these needs?
This can feel like a daunting task with so many variables to consider. When assessing the qualities of different solutions, it’s best not to think of them as a vehicle for delivering these results, but as a road toward your goals. The purpose of a road is to mark a clear path between two places. There are certain universal qualities that make for a good road: they should make it safer and easier to get from one place to another by providing context in the form of signage and road markings, and they should reduce friction to let you travel more efficiently, for example. Bad roads are convoluted or poorly maintained. They slow you down or mislead you, or they’re unsafe to travel on. But no matter what, roads accommodate travelers of all speeds and destinations.
There are some basic, universal qualities to look for in a good threat intelligence solution, too — “rules of the road,” as it were. In this chapter from our new book, “The Threat Intelligence Handbook,” we’ll explore what to look for.
In the first chapter, we discussed several common misconceptions about threat intelligence, including that it is mostly about threat data feeds. In fact, many organizations begin their threat intelligence programs by signing up for threat data feeds and connecting them with a SIEM solution.
This may seem like a good way to start because many threat data feeds are open source (and free), and the technical indicators they deliver appear useful and easy to interpret. Since all malware is bad, and every suspicious URL could be used by an attacker, the more clues you have about them the better, right?
Well, in reality, the vast majority of malware samples and suspicious URLs are not related to current threats to your enterprise. That’s why feeding large volumes of unfiltered threat data to your SIEM will almost certainly create the kind of alert fatigue we examined in Chapter 3.
Because threat intelligence provides value to so many teams in cybersecurity, it is important to develop priorities that reflect the overall needs and goals of the enterprise.
Rather than assuming that any one team, data source, or threat intelligence technology should have priority, you should develop a clear set of goals by determining the needs of each security group in your organization and the advantages that threat intelligence can bring to them.
Begin by considering these questions:
Answering these questions will help you clarify where threat intelligence can deliver the biggest gains in the shortest time. It will also guide your investigation of which threat intelligence sources, tools, and vendors can best support you and what staff you need to strengthen your program.
Teams across your security organization can benefit from intelligence that drives informed decision making and offers unique perspectives. Intelligence that is comprehensive, relevant, and easy to consume has the potential to revolutionize how different roles in your organization operate day to day. The image below shows examples of how teams inside organizations can use threat intelligence.
When determining how to move your threat intelligence strategy forward, it’s important to identify all the potential users in your organization and align the intelligence to their unique use cases.
We have observed several factors that frequently contribute to effective threat intelligence programs.
Monitoring threat information can provide quick benefits with relatively modest investments. The key is to look for a few types of data that are particularly meaningful for your business and information security strategy and will help you anticipate emerging threats or provide early warning of actual attacks. Your activities might include things like:
There are probably a few data types that are vitally important to your business and that you can monitor without investing in new infrastructure or staff. Monitoring them can generate quick wins, demonstrate the advantages of threat intelligence, and build enthusiasm for the program.
Effective threat intelligence programs typically focus on automation from the beginning. They start by automating fundamental tasks like data aggregation, comparison, labeling, and contextualization. When these tasks are performed by machines, humans are freed up to work on making effective, informed decisions.
As your threat intelligence program becomes more sophisticated, you may find even more opportunities for automation. You will be able to automate information sharing among a larger group of security solutions and automate more workflows that provide intelligence to incident analysis and response and fraud prevention teams. You will be able to offload more of the “thinking” to your threat intelligence solutions, for example, by having the software automatically correlate threat data and produce risk scores.
Integrating threat intelligence tools with existing systems is an effective way to make the intelligence accessible and usable without overwhelming teams with new technologies.
Part of integration is giving threat intelligence tools visibility into the security events and activities captured by your other security and network tools. Combining and correlating internal and external data points can produce genuine intelligence that is both relevant to your business and placed in the context of the wider threat landscape.
The other critical aspect of integration is delivering the most important, specific, relevant, and contextualized intelligence to the right group at the right time.
Threat intelligence solutions can be integrated with SIEMs and other security tools either through APIs or interfaces developed in partnership with the security tool vendors.
The value you get from threat intelligence is directly related to your ability to make it relevant to your organization and apply it to existing and new security processes.
You can reach these goals faster if you work with a vendor or consultant that provides both technical capabilities and expertise to empower your organization to get the most from threat intelligence. As time goes on, working with such a partner will enable members of your team to become threat intelligence experts in their own right, so that your capabilities in the field can grow organically.
We hope this book has shown you that threat intelligence is not some kind of monolith that needs to be dropped onto the security organization all at one time. Instead, you have options to draw on a wide range of data sources and then process, analyze, and disseminate threat intelligence to every major group in cybersecurity.
That means you can start simple with your current staff (instead of a dedicated threat intelligence group), a few data sources, and integration with existing security tools like SIEM and vulnerability management systems. You can then scale up to dedicated staffing, more data sources, more tools, more integration, and more automated workflows, as shown in the image below.
Start the journey by researching the needs of each group in your cybersecurity organization and seeing how threat intelligence can help them achieve their objectives.
Then, over time, you can build toward a comprehensive threat intelligence program that:
You’ll find more resources in the full chapter of the book that will give even more information on the best practices for applying threat intelligence, as well as helpful charts, diagrams, and tips on where to read further. The other chapters of the book also give a good sense of how different teams in your organization can use threat intelligence, exploring different use cases and more. Download your free copy of “The Threat Intelligence Handbook” today.