4 Security Roles That Can Benefit From Threat Intelligence

June 27, 2018 • The Recorded Future Team

Key Takeaways

  • Threat intelligence is widely imagined to be the domain of elite analysts. In reality, it adds value across the security function for organizations of all sizes.
  • Security teams are routinely unable to process the alerts they receive. Threat intelligence integrates with existing technologies to enable the automated prioritization of serious threats and removal of false positives.
  • Vulnerability management teams cannot accurately prioritize the most important vulnerabilities without access to the external insights and context provided by threat intelligence.
  • Preventative security measures are dependent on an understanding of the current threat landscape. Threat intelligence harvests key insights on threat actors, TTPs, and more from across technical, open web, and dark web sources.

It’s safe to say that threat intelligence is widely misunderstood.

It has a mystique to it that leads many organizations to think it “isn’t for them,” or that they “aren’t ready for it yet.”

Even the name sounds too advanced. The term “threat intelligence” conjures up an image of a room full of genetically enhanced super analysts studying dozens of screens simultaneously and uncovering hidden cybercrime rings on a daily basis.

Thankfully, the reality is far more useful to daily life than you might think.

Testing Threat Intelligence Assumptions

It’s tempting to think of threat intelligence as a separate function.

You have your vulnerability management specialists, your incident response team, your security operations center. And then, if you’re lucky, you have your threat intelligence boffins huddled in a corner somewhere doing clever things that nobody else understands.

This couldn’t be further from the truth.

In the real world, threat intelligence isn’t a separate function at all — it integrates with existing systems and processes to facilitate better and faster decision making across the security function.

In most organizations, there’s no threat intelligence team, there are simply normal security functions benefiting from vital external insights and context collected from across the web.

The 4 Roles

To show how applicable threat intelligence really is, no matter how advanced your security function may be, here are four security roles that can benefit from threat intelligence instantly.

1. Incident Response

Of all security functions, incident response is perhaps the most time sensitive. After all, one of the thousands of daily alerts received by an average incident response team could be a genuine existential threat.

It’s unfortunate, then, that most incident response teams are so overwhelmed by alerts that they are forced to waste a huge amount of time on mundane tasks — discounting false positives, making repetitive prioritization decisions, and constantly switching between security technologies, to name just a few.

It’s tempting to imagine that adding threat intelligence to the mix could make things even worse. After all, it’s yet another technology for analysts to wrestle with, and it provides even more data to process.

In reality, though, powerful threat intelligence capabilities can integrate directly with existing technologies and provide vital information and context directly where it’s needed. For analysts, the benefits are clear:

  • Automated prioritization of the most significant incidents.
  • A huge reduction in false positives.
  • Reduced need to manually switch between technologies.

At the same time, industry-leading incident response orchestration platforms can call directly upon threat intelligence, along with other vital technologies, to enable analysts to work from a single window for the vast majority of their workload.

Common Integrations: IBM Resilient, ProtectWise

2. Vulnerability Management

Vulnerability management seems like a simple affair — scan for vulnerabilities, patch vulnerabilities, repeat.

The truth is much more complex.

In the real world, it simply isn’t possible to patch all vulnerabilities. Patches don’t even exist for many identified vulnerabilities, and even if they did, the impact on business continuity would be untenable.

That’s why prioritization is such an important factor in vulnerability management.

Traditionally, security teams prioritize vulnerability patching based on the importance of the system they could affect. Business critical systems are important, obviously, and no threat to them can be allowed to remain in place.

But there’s a problem with this approach. The fact that certain systems are of great importance to you has no influence on how likely they are to be attacked. Threat actors target vulnerabilities based on how useful they are to them, not how impactful they are to you, which makes relying exclusively on internal data a highly ineffective approach to prioritization.

Threat intelligence providers like Recorded Future can integrate directly with the vulnerability scanning and management process, providing operational staff with key insights directly when and where they need them. The result is automated prioritization of vulnerabilities based on how likely they are to be exploited.

Common Integrations: Brinqa, Tenable, Qualys

3. SIEM

The typical SIEM throws out anywhere between tens of thousands to millions of alerts each year, of which only a tiny fraction can be investigated.

Why so many? Because most are false positives — unusual activity that’s just … unusual. Nothing more. Even when alerts are investigated, a huge chunk of time is spent discarding false positives and chasing dead leads.

The problem is simple. When you rely exclusively on internal data, there’s no way of knowing which alerts are genuine threats, and which are simply unusual (but legitimate) activity.

Threat intelligence integrates directly with leading SIEM technologies to enable the automated identification of genuine threats and discarding of false positives. For example, threat intelligence can identify:

  • IP addresses associated with malicious activity or botnets.
  • Known malware hashes.
  • Connection requests to or from maliciously registered domains.
  • Attempted connections to known command-and-control (C2) servers.

Without the external context provided by threat intelligence, all of these activities would be indiscernible from legitimate daily activity.

Common Integrations: LogRhythm, QRadar, Splunk

4. Deep Analysis

Not all security is reactive.

Security operations centers rely on being able to anticipate and prepare for cyber threats proactively. This is primarily done by identifying the most likely avenues of attack for their specific organization and designing security processes and controls around them.

This process, while vital, is highly intensive. It relies on complete access to both internal and external data without the need for constant window switching or manual research.

At the highest level, threat intelligence integrates with all of the technologies needed to power security operations, including end-to-end security management platforms, endpoint security, next-generation firewalls, SIEMs, vulnerability scanners, incident response platforms, and much more.

No matter how your security operations center is designed, threat intelligence integrates with existing systems to provide complete access to relevant, contextualized intelligence in real time from across technical, open web, and dark web sources. In just moments, operational staff can identify:

  • Active threat actors.
  • Current tactics, techniques, and procedures (TTPs).
  • The latest malware variants.
  • Brand threats such as leaked data or planned attacks.
  • Newly discovered vulnerabilities (days before they appear on vulnerability databases).
  • A whole host of other IOCs.

Common Integrations: Palo Alto Networks, Palantir

Waiting Only Makes Things Worse

Misconceptions about threat intelligence can be hugely damaging. If you see threat intelligence as something for “farther down the road,” you’re missing out on all of the advantages it could be affording you right now.

Because right now, your incident response team is buried in alerts that will never be investigated, and your vulnerability management specialists are prioritizing the wrong vulnerabilities. At this moment, your security technologies are throwing up alerts and incidents every minute, and without external context, there’s no way to know which ones could turn into serious threats.

And you know what? If you keep going as you are, all of these problems are only going to get worse.

Threat intelligence integrates directly with your existing infrastructure, and provides security personnel with the real-time insights and context necessary to make better, faster decisions. From vulnerability management, to preventative security measures, to investment decisions, having a deep understanding of your threat landscape will lead to a substantial reduction in cyber risk no matter how advanced your security function is.

To find out how you can integrate threat intelligence with your existing technologies right now and see benefits across the security function, read our new white paper, “5 Reasons to Integrate Threat Intelligence Into Your Security Right Now.”