Your Top Questions About Building a Threat Intelligence Team Answered

Levi Gundert, Recorded Future’s Vice President of Information Security Strategy, recently clarified some of the basic concepts and notions around building a world-class threat intelligence capability from scratch. During a webinar hosted by Dark Reading, Gundert answered a few of attendees’ most pressing questions about how to start and maintain an effective threat intelligence proficiency.

**Q: Many definitions abound; what is “threat intelligence” truly?

Levi (L): Threat intelligence is the act of formulating an analysis based on the identification, collection, and enrichment of relevant information. The focus should be on sourcing information applicable to your organization and performing ongoing analysis which translates that information into valuable insight for business decision makers.

**Q: Is there a distinction between strategic threat intelligence and operational threat intelligence?

L: Absolutely. Succinctly, operational threat intelligence (TI) could be defined as: automated external security data correlation via computing power. As our CTO likes to say “it’s where the Internet meets the Intranet.” Companies need raw external threat data to be operationally proficient, but first they need to understand the full scope of their internal telemetry coverage. Data alone, however, does not equal threat intelligence, and that’s where a lot of companies fall short. Massive amounts of external threat data ingested by a company needs to be processed, correlated, and remediated where necessary, and obviously automation can ease some of the operational pain.

Strategic threat intelligence, on the other hand, requires human analysis of select information. Strategic analysis requires smart and skilled human resources who can identify priority threats that may impact the organization’s strategic assets — its employees, customers, infrastructure, intellectual property, applications, vendors, etc. Experienced information security professionals are the key to achieving valuable strategic intelligence.

Strategic TI is akin to the rings in a Skee Ball game. As threats are identified, their expected impact can be estimated and scored. The smallest innermost ring is the most valuable score and represents threats that will directly impact the business. The outer rings are valued less, but also important as they represent general and industry relevance.

**Q: On a similar note, can threat intelligence be considered a proactive approach or a reactive approach, sharpening the incident response program?

L: Threat intelligence includes both proactive and reactive response depending on the phase in the cycle. A world-class program is a constant feedback loop complementing other operational teams within enterprise information security.

**Q: This seems like a complicated process. How many resources typically staff an enterprise threat intelligence team?

L: Every organization is different as is their risk profile. There is no magic number. The goal is a team that can strongly deliver across the sourcing, analysis, and reporting functions.

For an enterprise building a team from scratch or reorganizing information security,there are a few ways to form a threat intelligence team. One method is to segment the team into granular subgroups, but one danger of this approach is that it creates silos within the larger threat intelligence group and makes it hard for team members to grow outside their speciality. In security, we know that personal growth and constant learning is important, so it’s best practice to ensure that subgroup members have opportunities to learn new skills and stay engaged.

Another organizational structure is to put a kind of threat intelligence “umbrella” over the SOC and incident response teams, supplementing them with experienced data and threat analysts. The SOC and IR teams are already working with critical data and performing some TI functions, so a collaborative approach can be very effective. The danger here is that personalities matter; no one wants to feel like their power is being usurped, so managers need to carefully plan the rollout of the new structure, making sure no one feels devalued in the process.

**Q: How do you determine which operational indicator of compromise (IOC) feeds are most valuable? How do you measure their success?

L: The first step is understanding the feed’s true source by answering a few questions: Does the data originate from the web or malware processing or honeynets? How much of the data is originally produced vs. imported from a third party security company? There are many sourcing silos, and feeds should mirror the operational team’s sourcing goals.

In terms of metrics, every instance of positive telemetry/feed correlation that previously went unnoticed is the value of the external threat data. Additional potential questions for feeds:

• How many defensive rules were created?
• How many architecture changes have been prompted based on operational data correlation?
• How many IOCs did you ingest?
• How many produced positive correlation? How many lead to an incident remediation?
• As an organization makes (effective and appropriate) security architecture changes, does the number of IOC correlations start to reduce over time?
• How many reports have been written that supported a business decision?
• How many identified TTPs lead to an architecture change?

These are the types of measurements threat intelligence teams can use to tangibly show the business how the program is succeeding in reducing operational risk. The key to any metrics program is delivering metrics that matter. Too often in our industry we say, “Look how well we did! No incidents occurred this month!” The absence of an instance isn’t metrics. In threat intelligence, though, there are many places against which to measure success.

**Q: How does a security team know when a new rule needs to be created? Aren’t some events kind of anomalous and/or trivial?

L: To begin, first validate that you don’t already have the rule in place, and make sure the correlation isn’t a false-positive. Most teams tend to facilitate this correlation naturally and logically through their SIEM. If the correlation exists and the threat is valid, that’s when the rule should be created. It is important to note that an analyst needs a high level of confidence in his threat sources and needs to enrich the data with context from other sources before adding a rule.

**Q: How many teams are actually able to automate the defensive rule creation and implementation process?

L: To date, very few enterprises have achieved the full operational threat intelligence continuum and are successful in applying automated rules. To hear more of Gundert’s comments and learn how to build a world-class threat intelligence capability from scratch, watch the webinar recording or read the accompanying white paper of the same title.