3 Key Elements of Threat Intelligence Management
By Zane Pokorny on August 8, 2018
- By focusing on how your threat intelligence is produced, how it is shared within your organization, and how it is applied, you can begin to manage it more effectively.
- Managing the production of threat intelligence means following some best practices on finding the right sources, like automating where possible and identifying your organization’s use cases ahead of time so that you can focus on the right data.
- Share your threat intelligence with people who can take action on it — that means making sure it’s produced in a timely, contextual way, and in a form that is able to be comprehended by the target audience.
- Apply your threat intelligence effectively by making already-existing processes more efficient, getting a higher return on investment, and making your security systems more robust.
You might have clicked on this blog post expecting a long take on how to manage your data feeds more effectively. After all, sources of threat data lie at the foundation of any threat intelligence program, but they can be hugely time-consuming to manage — it stands to reason that any attempts to improve your threat intelligence management approach will involve more efficiently handling your data feeds.
Let’s explore some guiding principles of threat intelligence management and look at a few case studies to show its value.
The Real Value of Threat Intelligence Management
While many threat intelligence solutions will simply provide you with data feeds, the real value of threat intelligence is not in organizing and managing all your different sources of data — it’s doing something with that data. Threat intelligence gives context. Raw data sketches out a map; threat intelligence actually directs your route.
Regardless of the size of your organization, effectively managing your threat intelligence comes down to improving the three stages of threat intelligence development: how it is produced, how it is shared, and how it is ultimately applied in the pursuit of meeting your organization’s cybersecurity needs.
But before you can work on improving these three stages, a more fundamental question of what improvement looks like must be answered by determining what threat intelligence use cases are the most important to your organization.
Produce the Threat Intelligence You Need
Threat intelligence is ultimately a polished product derived from raw sources, with the most common being a threat data feed. There are some best practices to follow when choosing which data feeds to draw from and how to evaluate their usefulness. Individual feeds generally provide data on a single topic, like lists of suspicious IP addresses or email addresses associated with malicious activity.
Even within that limited range, a feed is just a stream of undifferentiated information with no single data point taking priority over the others, which makes sorting through them manually a huge hassle for any analyst. A good threat intelligence solution should automate this categorization process — for example, by having clearly defined ontologies to sort the raw data into, making it easier for analysts to research a specific topic.
Automation is not synonymous with production, however. More robust threat intelligence solutions will include data not only from publicly available threat data feeds, but also from places like social media, dark web forums, and technical sources, and then consolidate those disparate sources into a single feed that is relevant to your organization’s use cases.
Share Your Threat Intelligence With the Right People
Being able to gather all of those messy sources of data together into something an analyst can identify patterns in and draw conclusions from is all well and good, but it still won’t result in useful threat intelligence unless the final product is actionable. That’s one of those business-jargon nominalizations that everyone loves to throw around — “We need to generate more actionable strategies for Q4 this year!” — but it doesn’t really mean anything on its own.
For a piece of threat intelligence to be actionable, the following elements are generally required:
- It’s timely. Threat intelligence that tips your organization off to an impending cyberattack is timely. Putting together the indications that an attack was coming after it already happened is not.
- It’s contextual. Threat intelligence should be personalized. The only exploits you need to be worrying about are the ones that target vulnerabilities in the systems you use.
- It’s coherent. This is maybe the least definable yet most essential aspect of what makes threat intelligence actionable or not — it must be able to be understood by the people who are capable of taking action. An urgent report warning of a major flaw in an organization’s security systems lands in the inbox of the manager, but because it’s written in a highly technical and difficult-to-parse language, the manager does not sufficiently understand the urgency of the threat and chooses not to prioritize it. Disaster follows.
The output of any one cycle of threat intelligence development will therefore vary depending on its intended audience. The final result could be contextualized reports intended to give visibility to business leaders; technical indicators meant to inform security operations; dashboards on trending and relevant threats, like vulnerabilities, malware, or malicious infrastructure; alerts on potential attacks or brand-damaging activity; and so on.
Apply Your Threat Intelligence With a Bias for Action
Manage your threat intelligence services with a bias toward actionability by determining from the start who the intended audience is and what use cases will be best served by the intelligence you will generate.
Returning to the examples from above of the different forms of threat intelligence that could be produced depending on the target audience, here are some scenarios in which those pieces of intelligence could be applied:
- An organization’s chief financial officer decides to allocate a greater portion of next year’s budget to the organization’s cybersecurity team after reading a report focusing on the growing return on investment observed once the team switched from using free threat data feeds to a more complete threat intelligence solution.
- Analysts are able to spend more time triaging alerts and investigating incidents after incorporating a threat intelligence solution into their already existing security software, automating most of their data collection and helping them avoid false positives.
- The public relations department of an organization is able to much more quickly respond to potentially brand-damaging hacks and leaks of sensitive information after the organization’s security team sets up an automatic alert for any mentions of the organization on the internet, including not only social media sites, but also harder-to-reach sources like dark web marketplaces.
Threat intelligence has countless applications — more than any single organization can leverage effectively. The best way to start managing your threat intelligence more effectively is to decide which applications you need to focus on and find the solution best suited to your needs.
For a more detailed look into how you can achieve effective threat intelligence management, download our free white paper, “Best Practices for Applying Threat Intelligence.”