“Threat Intelligence is all about consuming feeds”, said no security professional ever. This is like saying that to cook a great meal all you have to do is buy the ingredients. While that is a good start, you still need to know how to properly combine the ingredients and prepare them in a way that leads to a finished and delicious meal. Acquiring and consuming threat intelligence feeds is an important step to take, but much like buying ingredients for a meal, it is only the first part of the process. In the end, threat intelligence is only valuable and useful to an organization if it is relevant and actionable, leading to improvements in overall security operations.
Since consuming threat intelligence is only the beginning, it's helpful to look at the entire process. The threat intelligence lifecycle can be broken down into 4 major stages: Collection, Normalization, Analysis, Dissemination, and Actioning.
Threat intelligence Collection
The first stage in the threat intelligence lifecycle is the ingestion of threat intelligence which includes indicators of compromise (IOCs) from multiple threat intelligence sources such as commercial feeds, open-source feeds,, industry peers, vendors, regulatory bodies, etc. These feeds are often ingested in both structured and unstructured formats depending on their source. Unstructured threat data usually includes emails, reports, and blogs while Structured threat data includes intelligence in STIX 2.1, STIX 1.0, etc. formats.
Threat intelligence Normalization
The second stage in the threat intelligence lifecycle is to normalize multi-sourced threat intelligence into a single format such as STIX. Normalization is a prerequisite for threat data correlation and analysis. It converts the entire ingested threat data into a structured and standardized format that can be more easily managed and disseminated to deployed security technologies or shared with industry peers, vendors, or sharing community (ISAC/ISAO) members.
Threat intelligence Analysis
The key objective of threat intelligence analysis is to combine tactical and technical intelligence to produce actionable intelligence. The analysis stage involves several key functions such as deduplication, enrichment, correlation, and confidence scoring. Threat intelligence needs to be enriched by combining information from various trusted sources and correlating threat indicators to prioritize them based on several parameters such as the geographical location, industry sector, previous incidents, and other contextual factors. To move towards a proactive cybersecurity approach, threats need to be detected in their early stages by using tactical threat intelligence. Tactical threat intelligence plays a crucial role by highlighting a threat actor’s tactics, techniques, and procedures (TTPs). The MITRE ATT&CK framework
which is a database of all TTPs used by threat actors in real-world campaigns helps security teams to better identify attacker footprints and prioritize threat response.
Intelligence Dissemination and Actioning
The enriched and analyzed threat intelligence derived from the previous stages now needs to be actioned upon to bring to its logical conclusion of helping out with proactive mitigation. The actioning includes dissemination of threat intelligence into the internally deployed security tools and technologies and sharing with internal teams and external partners. Internal - The enriched threat intelligence is now delivered to multiple internal teams in the SOC, such as the incident response team, threat hunting team, VAPT teams, etc. The enriched threat intelligence is then utilized to inform decisions and initiate actions in security tools such as Firewalls for blocking/unblocking a particular IOC, removing an IOC from the watchlist, blocking phishing attempts, quarantining an infected device, etc.
External - The enriched threat intelligence should also be disseminated to external teams such as trusted sharing community (ISACs/ISAOs) members, industry peers, subsidiaries, and external vendors.
Seeing the entire lifecycle, it is easier to see how each step is crucial in producing the end result. A threat intelligence platform (TIP), like CTIX
, performs a variety of functions such as intelligence collection, normalization, enrichment, analysis, and dissemination by leveraging automation to increase the speed and efficiency of analysts while also improving accuracy. If you are a part of a smaller team or just looking to get started with actionable intel, then CTIX Lite
might be a better fit for you and your budget.