Threat Intelligence is a continuous process with applications in different use cases for an organization. To manage it effectively, organizations must be cognizant of the fundamental principles behind the production, sharing, and application of Threat Intel.
Despite the wide variety of threat intelligence solutions available in the market, most of them just provide threat data feeds. Such solutions only paint a small part of the whole threat intelligence picture. The true value of threat intelligence is derived by converting threat information gained from various sources into an action plan for improving the overall security posture. Moreover, threat intelligence was first envisioned as a predictive tool that would help organizations implement preventive measures beforehand. However, over time, it has instead become an operational overhead for security teams by consuming a huge amount of data, requiring further processing and refinement of that data, and tracking for audit purposes. It’s time for organizations to pause and re-evaluate their Threat Intel management strategy to guide this function in the right direction.
Threat intelligence management can be understood in three main stages: producing threat intelligence, sharing threat intelligence, and applying it to various use cases as per the organization’s cybersecurity requirements. An improvement in these three stages directly contributes to an increase in the effectiveness of the organization’s threat intelligence program. However, before improving it, organizations must set their priorities with a clear understanding of the most relevant use cases for threat intelligence.
The journey from Threat Data to Threat Intelligence
The production of threat intelligence is akin to the process of creating a brilliantly cut diamond from its raw form through a series of cuts and polishes. In threat intelligence, the raw sources are in the form of low-value threat indicators like IP addresses, file hashes, domain names, etc. Threat data feeds provide a stream of such indicators. However, these feeds lack any order or priority among the different data points, thereby making the job of a threat analyst that much tougher. Additionally, threat data feeds are not directly actionable due to the presence of false positives, old data, non-contextual data, and other such factors.
In some cases, threat data feeds are based on specific topics such as, for example, a feed listing newly discovered phishing domains. However, beyond this, there is no control available for sorting or filtering the data further to improve relevance. A state-of-the-art threat intelligence solution must automate the Intel ingestion, Intel validation, and Intel categorization process. Additionally, a robust threat intelligence program must also incorporate information from both internal sources like Firewall, SIEM, IDS, IPS, etc and external sources like TI providers, partner or peer organizations, regulators, ISACs, Dark Web, and own subsidiaries. All this collected threat information must then go through the necessary stages of analysis to produce a stream of the most relevant and actionable intelligence for the organization.
Putting Threat Intelligence in the Right Hands
After the collection, filtering, and validation of threat data, security teams can make use of it in various ways like correlating the indicators to identify threats targeting the organization, ranking the indicators on the basis of urgency or other factors, converting Intel into different forms for members in various roles, and more. All these steps help in making Threat Intel more actionable within an organization. The three key properties of Threat Intel that generally make it actionable are:
- Timeliness - Threat Intel that points to new rising threats in a timely manner helps build a proactive cyber defense.
- Context - Threat Intel shining a light on flaws in existing systems used by an organization is much more valuable than information about flaws in other systems.
- Role-based - Threat Intel is not only meant for the technical staff, but also for managers and executives of an organization. It must cater to different roles in an appropriate format with action points relevant to them. If this is not managed effectively, it can lead to decision making without the element of cyber risk and ineffective internal communication.
By carefully managing the above factors, an organization can prepare for emerging threats, from a technical, operational, and strategic perspective. Moreover, based on the same factors, dissemination of threat intel can also be automated to prompt different staff members to take specific actions.
Now, every organization must remember that Threat Intelligence should not be treated as an isolated internal activity. With increasing third-party security risks due to complex business operations, it has become crucial for organizations to exchange threat information with their clients, vendors, peer organizations, sectoral bodies, and other partners. Thus, after producing relevant and actionable intelligence, it is necessary to exchange it within the trusted network of partners as well.
From Intelligence to Action
When a Threat Intel program is geared towards producing relevant and actionable intel, staff members can easily apply it to satisfy different use cases. Below are some examples of such scenarios.
- By sharing relevant role-based threat intel with senior management, it can help sensitize them to cyber risks and help change the narratives that CISOs often struggle to define. This could eventually help redefine the cyber element in the board and lead to greater financial allocations.
- Using advanced automation capabilities, analysts could get rid of many false positives and duplicates, thereby cutting down triage time for alerts and incidents by a significant margin. This could allow them to dedicate more time to investigating emerging threats.
- Threat Intelligence is the fuel that fires modern SOC operations. All different functions like Incident Response, Threat Hunting, Vulnerability Management, etc could be made more focused and effective by leveraging relevant threat intel.
Threat Intelligence can provide numerous advantages to an organization in managing their cyber risk. With careful management of Threat Intelligence activities and applications, organizations can reap long-term gains in their security posture.