Here’s What Industry Experts Say About Making Threat Intelligence Actionable

Though it shares the common attributes about being timely, accurate, consumable, and relative, I differentiate actionable threat intelligence from good threat intelligence. You see, I learned a lesson from our chief security officer, when he kept asking the question, “So what?”. If your threat intelligence hasn’t been through several revisions of “So what?”, well you just won’t respond appropriately — though you may have acted.

Chris Stouff
Manager of Security Incident Response and Forensics, Armor

Threat intelligence needs to operate on two levels, and meet needs for two different audiences. At the security operations center (SOC) level, the atomic indicator is often exactly what they need — a quick “bad/good” judgement for a given piece of network traffic or email. But at a more strategic level, we have a goal of identifying the criminal actor and depriving them of their opportunity to attack us again.

To get to that level, it is often the case that a single organization does not have the necessary data to provide the larger context. This is where “cross-brand intelligence” comes in. What does YOUR company know about this attacker that might benefit MY company? And where do we share that type of information in a way that enhances our mutual understanding of the threat without compromising the security of either organization?

Gary Warner
Chief Threat Scientist, PhishMe

[Actionable intelligence is] intelligence that enables decisions for timely action or response. Examples include intelligence that enables preemptive strikes, counter strategies, attribution, priority of threats, capabilities, intent, etc. It should answer the who, what, when, and why questions to drive operations for a more effective defense.

Teresa Shea
Executive Vice President and Director of Cyber Reboot, In-Q-Tel

A lot of data is available in the dark web and it becomes a challenge for analysts to determine what is relevant. While digging you do find information about pending attacks as hacking groups tend to make announcements to get enough followers to accomplish their agendas. This is where threat intelligence can really provide actionable data that can help an entity be proactive about implementing the right security for pending attacks.

Stephen Coty
Chief Security Evangelist, Alert Logic

Actionable intelligence can take on many types and is driven by the stakeholder. Actionable intelligence to a security operations analyst may be focused on indicators, whereas actionable intelligence to an executive may be an assessment of certain activities in a region of the world. The “action” part of actionable is driven by the stakeholder.

I think one of the challenges with threat intelligence is understanding the audience and stakeholder. One of the forgotten and overlooked aspects of the intelligence cycle is requirements gathering. If you do not know what your stakeholders want and need to do their jobs, then you are not doing your job.

Initial requirements gathering is important, but maintaining the connection to the stakeholder and revising requirements is integral to a productive analyst-stakeholder relationship. My team does frequent revisions to our requirements based on the evolving landscape and through frequent touchpoints with our consumers.

Christopher Mascaro
Head of Threat Intelligence and Analytics, First Data

Recently actionable intelligence has become more of a buzzword in the venture capital markets, in congress, and in device manufacturing. Right now there is a lot of noise out there masquerading as “intelligence.” Actionable intelligence for me means:

• Intelligence that is lower level is able to be implemented into defensive measures at machine speed across the wire in real time
• Intelligence that is deeper and more sophisticated is made applicable to the environment based on its unique specifications of the company and its infrastructure.
• Intelligence that takes into consideration “how” the environment is architected, thus preventing everything being a high or critical action item.

It is inescapable that, for intelligence to be actionable, it must be integrated into SIEMs or other tools for a one-pane-of-glass view. Actionable intelligence must be real and go above and beyond the commoditized nature of many “intelligence feeds” that are available today.

Christopher Pierson
Executive Vice President, Chief Security Officer and General Counsel, Viewpost

Over the last few years there has been no shortage of business email compromise, extortion, and DDoS attacks against the financial industry. There is value in visibility to technical indicators and observations, but there is so much more that can be of value to the organization.

By applying intelligence analysis to this situation we can gain a lot more value from the technical details but also paint a clearer picture on what an effective and appropriate response may look like for the specific business. For instance, one common practice trained intelligence analysts refer to is evaluating influencers based on “PESTLE” analysis. How does the situation potentially affect my organization as it relates to Political, Economic, Social, Technology, Legal, and Environmental impacts?

Collecting the technical indicators, the attribution details, and applying PESTLE-type analysis to these situations is key to determining if your business can make an appropriate choice for mitigating impact of the attack, given the company’s goals, current condition, and business operations. The key is, all these pieces must be in place to do so. Applying the available information and intelligence to this entire set of conditions is what actionable intelligence looks like to me, nothing less.

Rob Kraus
Director of Security Research and Strategy, Solutionary