Here’s What Industry Experts Say About Making Threat Intelligence Actionable
November 15, 2016 • Amanda McKeon
With cyber security being such a hot topic in recent years, threat intelligence has now become a buzzword. Buzzwords create confusion and present organizations with a challenge to know if they are using their tools and resources effectively.
We recently conducted interviews with some of the industry’s top experts to get their perspective on threat intelligence. Below are a few of our favorite quotes.
Does It Answer “So What?”
Though it shares the common attributes about being timely, accurate, consumable, and relative, I differentiate actionable threat intelligence from good threat intelligence. You see, I learned a lesson from our chief security officer, when he kept asking the question, “So what?”. If your threat intelligence hasn’t been through several revisions of “So what?”, well you just won’t respond appropriately — though you may have acted.
Is It Meeting the Needs of Two Audiences?
Threat intelligence needs to operate on two levels, and meet needs for two different audiences. At the security operations center (SOC) level, the atomic indicator is often exactly what they need — a quick “bad/good” judgement for a given piece of network traffic or email. But at a more strategic level, we have a goal of identifying the criminal actor and depriving them of their opportunity to attack us again.
To get to that level, it is often the case that a single organization does not have the necessary data to provide the larger context. This is where “cross-brand intelligence” comes in. What does YOUR company know about this attacker that might benefit MY company? And where do we share that type of information in a way that enhances our mutual understanding of the threat without compromising the security of either organization?
Does It Enable a Timely Response?
[Actionable intelligence is] intelligence that enables decisions for timely action or response. Examples include intelligence that enables preemptive strikes, counter strategies, attribution, priority of threats, capabilities, intent, etc. It should answer the who, what, when, and why questions to drive operations for a more effective defense.
Does It Help You Defend Against Pending Attacks?
A lot of data is available in the dark web and it becomes a challenge for analysts to determine what is relevant. While digging you do find information about pending attacks as hacking groups tend to make announcements to get enough followers to accomplish their agendas. This is where threat intelligence can really provide actionable data that can help an entity be proactive about implementing the right security for pending attacks.
Is It Driven by the Stakeholder?
Actionable intelligence can take on many types and is driven by the stakeholder. Actionable intelligence to a security operations analyst may be focused on indicators, whereas actionable intelligence to an executive may be an assessment of certain activities in a region of the world. The “action” part of actionable is driven by the stakeholder.
I think one of the challenges with threat intelligence is understanding the audience and stakeholder. One of the forgotten and overlooked aspects of the intelligence cycle is requirements gathering. If you do not know what your stakeholders want and need to do their jobs, then you are not doing your job.
Initial requirements gathering is important, but maintaining the connection to the stakeholder and revising requirements is integral to a productive analyst-stakeholder relationship. My team does frequent revisions to our requirements based on the evolving landscape and through frequent touchpoints with our consumers.
Does It Go Above and Beyond Feeds?
Recently actionable intelligence has become more of a buzzword in the venture capital markets, in congress, and in device manufacturing. Right now there is a lot of noise out there masquerading as “intelligence.” Actionable intelligence for me means:
- Intelligence that is lower level is able to be implemented into defensive measures at machine speed across the wire in real time
- Intelligence that is deeper and more sophisticated is made applicable to the environment based on its unique specifications of the company and its infrastructure.
- Intelligence that takes into consideration “how” the environment is architected, thus preventing everything being a high or critical action item.
It is inescapable that, for intelligence to be actionable, it must be integrated into SIEMs or other tools for a one-pane-of-glass view. Actionable intelligence must be real and go above and beyond the commoditized nature of many “intelligence feeds” that are available today.
Are All the Pieces in Place?
Over the last few years there has been no shortage of business email compromise, extortion, and DDoS attacks against the financial industry. There is value in visibility to technical indicators and observations, but there is so much more that can be of value to the organization.
By applying intelligence analysis to this situation we can gain a lot more value from the technical details but also paint a clearer picture on what an effective and appropriate response may look like for the specific business. For instance, one common practice trained intelligence analysts refer to is evaluating influencers based on “PESTLE” analysis. How does the situation potentially affect my organization as it relates to Political, Economic, Social, Technology, Legal, and Environmental impacts?
Collecting the technical indicators, the attribution details, and applying PESTLE-type analysis to these situations is key to determining if your business can make an appropriate choice for mitigating impact of the attack, given the company’s goals, current condition, and business operations. The key is, all these pieces must be in place to do so. Applying the available information and intelligence to this entire set of conditions is what actionable intelligence looks like to me, nothing less.
Of course the first step toward actionable threat intelligence is actually getting your hands on in-depth, real-time threat data. Request a demo today to find out how you can get access to threat information from the entire open, deep, and dark web.