The volume of threat data available online has been overwhelming. According to the IBM X - Force threat intelligence index, 8.5 billion records were breached in 2019,150,000 vulnerabilities had been disclosed till January 2020, ransomware attacks were up by 67% year-over-year in Q4 2019 and operational technology (OT) attacks surged 2,000% year-over-year. Traditionally, the ingestion of threat data was done manually. This meant that threat intelligence analysts had to spend most of their time collecting, formatting, and sifting through threat data to make sense of it. This proves to be difficult due to the volume of data and the varying formats in which different sources use and share threat intelligence. Normalization of disparate threat data becomes challenging and overwhelmingly time-consuming which leads to less time for analysis and actioning and also contributes to analyst fatigue.
Threat intelligence can be very valuable for informing security decisions and driving action, however, this is only true when the intelligence is relevant. Analysts need to be able to quickly extract and prioritize the intel and data that relates to their situation and that matters to them, i.e. is relevant.
Threat intelligence platforms (TIP) are now capable of automated ingestion of threat data from multiple sources on a real-time basis that can save an analyst a lot of valuable time and effort. Following that are two key elements to help determine relevancy and lead to the end goal of actionable intel.
To make threat intelligence actionable it is important to take into consideration both the external and internal context of the threat attack and how it relates to your organization. The internal context includes everything from the people, processes, and technology of the organization. It usually answers the “Who, When, Where, Why, What, and How” of the threat attack.The external context tells you how relevant the threat attack is to your organization by taking into account the insights from trusted threat data sources like commercial and non-commercial feed providers, ISACs, and others.
Scoring is a way to assess and provide a numeric value to how potentially dangerous or relevant an indicator (IOC) is. Indicators are scored for relevance by analyzing their target geography, sector, and the types of assets and technologies they are currently affecting. Scoring can be used to give more weightage to industry-specific malware, or to threat actors that are targeting a certain geographical region, or to a premium feed that you trust more than others, just to name a few examples.
Why is scoring important?
For example, if the threat actor in question is affecting law firms in Finland and you are a Banking Financial Services and Insurance organization in India, the threat actor is not as relevant to your organization and hence, you may not need to take any action about that particular threat attack.
However, it can still be cumbersome to do scoring and contextualization at scale if it is done manually. An advanced threat intelligence platform, such as CTIX or CTIX Lite, can help automate both scoring and contextualization of threat intelligence. Scoring and contextualization features of a threat intelligence platform enable analysts to identify relevant threat data and make it actionable in a faster, scalable manner. With the use of actionable threat intelligence, organizations can improve their security operations by initiating a faster investigation, remediation, prioritization, and response to threat attacks.
If you wish to operationalize threat intel, but you feel that you lack the budget and security team size for it, you need to take a look at CTIX Lite, a truly lightweight TIP that is heavy on automation but light on price.