We use cookies to improve your experience. Do you accept?

Threat Intelligence: The Evolution to Evidence-Based Action

Threat Intelligence: The Evolution to Evidence-Based Action - Featured Image

Threat intelligence Jan 27, 2023

Threat Intelligence is designed for, and highly capable of delivering, enhanced security operations to any organization leveraging threat intelligence as a strategic resource to drive action. The problem is that threat intelligence, without a means to consume and interpret the large volume of data, is just noise. Too often available data goes without notice or, more importantly, expedient actioning. If leveraged appropriately, cyber threat intelligence is a critical cyber security tool capable of significantly enhancing the security efficacy of organizations globally. Operationalizing the intelligence lifecycle, end-to-end, (ingestion thru actioning) provides a path for responsiveness to new, emerging, and existing threats. SOC operations, SIEM, XDR, EDR, and firewalls should be more tightly connected to the insights and analysis provided by threat intelligence. The analysis below walks through the various states of the organizational deployment of threat intel.

Threat intelligence comes in a wide variety of different formats such as STIX, JSON, XML, PDF, CSV, websites, email, etc. To illustrate what’s required to succeed with threat intelligence it’s important to provide some baseline.

Threat Intelligence (TI) Feeds may be produced internally, gained from sharing communities (such as ISACs, ISAOs, etc), or derived from an external provider (both paid and free). Additionally, some services also provide feeds with little to no context. These threat intelligence feeds are ongoing streams of data related to potential, current, and existing threats providing information on attacks, including malware, botnets, phishing, threat actors, etc. Threat intelligence is intended to allow organizations to:

  • Detect, identify, validate and investigate security threats, attacks, threat actors and indicators of compromise (IOCs)

  • Understand the broader context of threats and attacks

Threat intelligence feeds are foundational. Nearly every organization with a security function subscribes to some volume of TI feeds aimed at identification, investigation, and, ultimately, prevention of security breaches. However, simply subscribing to feeds without the resources, tools, or knowledge to drive action, insight, and granular security policy application won’t actually solve security challenges. Making feeds intelligent for your org is vital.

Threat Intelligence Platforms (TIP)**** enable organizations to collect, curate, process, and disseminate TI within the organization allowing threat analysts to be more proactive and make better decisions to drive enhanced security efficacy. While threat intelligence feeds provide data about threats, a TIP drives the collection, normalization, enrichment, and actioning of intel about potential attackers and their malicious intents. TIPs are designed to reduce the burden of collecting and managing the massive volume of security data that Threat Intel feeds produce. Some of the most important capabilities include:

  • Automating, streamlining, and simplifying the process of researching, aggregating, and organizing threat intelligence data. This includes de-duping and enriching threat data.

  • Provide incident enrichment, derived from threat intel feeds, to quickly identify, investigate, and respond to potential security threats in real time.

  • Provide contextual enrichment and information about current and future security risks, threats, attacks and vulnerabilities, and tactics, techniques, and procedures (TTPs).

  • Feed current threat intelligence data to security resources including SOC operations, SIEM solutions, endpoints, firewalls, etc.

  • Provide a means to derive security incident escalation and response procedures.

  • Share threat intelligence data with other stakeholders and aggregate reports.

Some of the differentiating characteristics that define an effective TIP include:

  • IOC Scoring Engine to define prioritization and ensure analysts work on the most pressing threats

  • Bi-directional intel exchange to ensure useful insights, information, and analytics can be shared from anywhere

  • Creating & sharing threat bulletins to raise the bar on enhancing security awareness and drive security action across the organization

  • Granular enrichment policies to remove false positives and deduce actionable intelligence for threat response and other security operations

  • Machine learning-based IOC/entity extraction from unstructured intel. Threat intel comes in many formats and expediting the availability of useful data enhances effectiveness.

The above defines current thinking on capabilities around threat intelligence. What matters most is translating threat intelligence to yield a productive security action that reduces the impact of a new, emerging or existing threat. Some solutions automate Threat Intelligence handling to combine relevant data with enrichment and other context ensuring analysts can:

  • Quickly investigate threats

  • Understand investigation workflows

  • View broader context and threat impact

  • Share information

Some organizations continue along the automation path and integrate TIP with SOAR to define automation workflows that respond to incidents. This patch is often complex and requires tight integration between TIP vendor, SOAR vendor, and the multitude of security tools and assets an organization deploys in its security stack. What if there is a better way? Enter the **Threat Management System (TMS). **This system, as defined by Cyware, incorporates the capabilities of TIP defined above, working in tight coordination with Orchestration capabilities and integrations from over 350 security tools and products to automate intelligent action. A TMS fully automates the entire threat intelligence lifecycle from ingestion, normalization, enrichment, analysis, and dissemination. The academic definition of the end-to-end threat intel lifecycle ends with dissemination which includes the distribution of threat intelligence insight to other functional responsibilities. Dissemination in Cyware’s TMS includes orchestrating actions based on derived threat intelligence insights and tight integrations with any and all security tools. Orchestration in a TMS delivers true end-to-end TI Lifecycle Management. Intelligent action, in a TMS, is not confined to the rigid boundaries of orchestration which defines actions and automation strictly for incident response. Orchestration utility and automated action/response may be extended to all security-responsible functions.

Again returning to the original goal of consuming threat intelligence–enhanced security efficacy–a TMS delivers on this promise.

View our on-demand webinar where Cyware experts provide an overview of the requirements for an effective Threat Management System.

Related Blogs