The Value of Threat Intelligence for Incident Response Teams (Part 3)

July 17, 2019 • The Recorded Future Team

This is the third blog in a three-part series where we examine how security teams manage their security incident response processes. In the first blog, we highlighted the challenges faced when trying to mitigate security incidents and how constraints force many teams into taking a reactive approach. In the second blog, we explained how threat intelligence minimizes reactivity and helps incident response teams take a more proactive approach to mitigating vulnerabilities and defending against cyber threats. In this blog, we examine some real-world use cases that demonstrate the value of threat intelligence for incident response teams and how to avoid threat intelligence “abuse.”

The State of Incident Response

There’s often a significant gap between when a breach occurs and when organizations realize it — an average of around 196 days, in fact, according to a 2018 Ponemon Institute study, “Cost of a Data Breach.” That’s more than six months. And this stolen data and other assets often end up for sale on the dark web long, long before that.

What’s needed is an external awareness of the threat landscape, which can be provided by threat intelligence. With a real-time threat intelligence solution, you can monitor spaces like dark web marketplaces for mentions of your organization’s name, or other relevant details that can provide early warning signs of a breach. And with this context, the time between an attack and remediation can be cut down from months to minutes, in some cases. In other cases, it can even mean preemptively stopping an impending attack.

The following real-world use cases illustrate how incident response teams can use threat intelligence as part of their security management program, providing examples of how your incident response team can become more proactive in protecting the organization’s digital assets.

Use Case 1: Preparing Processes in Advance

A self-assessment performed by the incident response team at a large financial firm in the U.S. discovered that most of its processes were highly reactive. Mitigation activities were typically launched only after incidents occurred, which greatly extended the time to scope and remediate incidents.

With a threat intelligence solution, their incident response team was able to form a much more comprehensive picture of the threat landscape, gaining insights into the tactics, techniques, and procedures (TTPs) of threat actors, industry- and area-specific attack trends and risk scores, and more. That intelligence helps with incident discovery, triage, and containment, making it much easier to deal with security incidents by enriching alerts and helping to correlate internal security data with external context. This has sped up the consistency and reliability of the financial firm’s security team across incident response functions.

Use Case 2: Scoping and Containing Incidents

When security incidents occur, the manager of an incident response team for a utilities organization in Europe wants to give their team the ability to determine exactly what happened, what the incident might mean for the organization, and which actions to take. The team also needed to scope these factors as quickly as possible and with a high degree of accuracy.

By integrating a threat intelligence solution into the security infrastructure, the incident response team was able to automatically weed out false positives. This enabled them to focus on genuine security incidents. And by enriching incidents with related information from across the open and dark web, it’s easier for the team to determine how much of a threat each incident poses and how the organization might be affected.

In addition, threat intelligence provides details about each threat and insights about attacker TTPs. The team can now make fast and effective containment and remediation decisions.

Key Incident Response Concepts

  • Incident response is reactive by nature, but this tendency is often taken too far.
  • Because the typical incident response process is too reactive, it causes incident response team stress.
  • To minimize reactivity, two functions are necessary: preparation and prioritization.
  • Threat intelligence helps incident response teams prepare for and prioritize incident responses, even when they are unexpected.

Beware of Threat Intelligence Abuse

In addition to understanding the value of threat intelligence, it’s also important to beware of “abuse” cases where threat intelligence can actually undermine incident response. For example, some organizations choose to rely simply on free threat feeds, which should not be mistaken for real threat intelligence, believing this will minimize up-front costs while still providing actionable information to help the incident response teams.

Simply bringing more data to table without the rest of the people, process, and technology elements sorted out can often add to the burden of incident responders by providing even more information and alerts for them to sort out, forcing them to manually research data that may turn out to be false positives or irrelevant alerts. To fully address the primary incident response pain points, threat intelligence needs to be comprehensive, relevant, contextualized, and integrated with other security tools.

Achieving these objectives with your threat intelligence program is critical. When an incident response team becomes more proactive and reduces reactivity, they not only contribute to the desired security posture, but they also become an integral part of improving the information security program’s top and bottom lines.

Learn More

For information on how to leverage effective threat intelligence to become more proactive in your vulnerability management program, request a personalized demo of Recorded Future today.