Go to listing page

Threat Intelligence: The Evolution to Evidence-Based Action

Threat Intelligence: The Evolution to Evidence-Based Action

Share Blog Post

Threat Intelligence is designed for, and highly capable of delivering, enhanced security operations to any organization leveraging threat intelligence as a strategic resource to drive action. The problem is that threat intelligence, without a means to consume and interpret the large volume of data, is just noise. Too often available data goes without notice or, more importantly, expedient actioning. If leveraged appropriately, cyber threat intelligence is a critical cyber security tool capable of significantly enhancing the security efficacy of organizations globally. Operationalizing the intelligence lifecycle, end-to-end, (ingestion thru actioning) provides a path for responsiveness to new, emerging, and existing threats. SOC operations, SIEM, XDR, EDR, and firewalls should be more tightly connected to the insights and analysis provided by threat intelligence. The analysis below walks through the various states of the organizational deployment of threat intel. 

Threat intelligence comes in a wide variety of different formats such as STIX, JSON, XML, PDF, CSV, websites, email, etc. To illustrate what’s required to succeed with threat intelligence it’s important to provide some baseline. 

Threat Intelligence (TI) Feeds may be produced internally, gained from sharing communities (such as ISACs, ISAOs, etc), or derived from an external provider (both paid and free). Additionally, some services also provide feeds with little to no context. These threat intelligence feeds are ongoing streams of data related to potential, current, and existing threats providing information on attacks, including malware, botnets, phishing, threat actors, etc. Threat intelligence is intended to allow organizations to: 

  • Detect, identify, validate and investigate security threats, attacks, threat actors and indicators of compromise (IOCs)
  • Understand the broader context of threats and attacks

Threat intelligence feeds are foundational. Nearly every organization with a security function subscribes to some volume of TI feeds aimed at identification, investigation, and, ultimately, prevention of security breaches. However, simply subscribing to feeds without the resources, tools, or knowledge to drive action, insight, and granular security policy application won’t actually solve security challenges. Making feeds intelligent for your org is vital. 

Threat Intelligence Platforms (TIP) enable organizations to collect, curate, process, and disseminate TI within the organization allowing threat analysts to be more proactive and make better decisions to drive enhanced security efficacy. While threat intelligence feeds provide data about threats, a TIP drives the collection, normalization, enrichment, and actioning of intel about potential attackers and their malicious intents. TIPs are designed to reduce the burden of collecting and managing the massive volume of security data that Threat Intel feeds produce. Some of the most important capabilities include:

  • Automating, streamlining, and simplifying the process of researching, aggregating, and organizing threat intelligence data. This includes de-duping and enriching threat data.
  • Provide incident enrichment, derived from threat intel feeds, to quickly identify, investigate, and respond to potential security threats in real time.
  • Provide contextual enrichment and information about current and future security risks, threats, attacks and vulnerabilities, and tactics, techniques, and procedures (TTPs).
  • Feed current threat intelligence data to security resources including SOC operations, SIEM solutions, endpoints, firewalls, etc.
  • Provide a means to derive security incident escalation and response procedures.
  • Share threat intelligence data with other stakeholders and aggregate reports.

Some of the differentiating characteristics that define an effective TIP include:
  • IOC Scoring Engine to define prioritization and ensure analysts work on the most pressing threats
  • Bi-directional intel exchange to ensure useful insights, information, and analytics can be shared from anywhere 
  • Creating & sharing threat bulletins to raise the bar on enhancing security awareness and drive security action across the organization 
  • Granular enrichment policies to remove false positives and deduce actionable intelligence for threat response and other security operations
  • Machine learning-based IOC/entity extraction from unstructured intel. Threat intel comes in many formats and expediting the availability of useful data enhances effectiveness. 

The above defines current thinking on capabilities around threat intelligence. What matters most is translating threat intelligence to yield a productive security action that reduces the impact of a new, emerging or existing threat. Some solutions automate Threat Intelligence handling to combine relevant data with enrichment and other context ensuring analysts can:
  • Quickly investigate threats
  • Understand investigation workflows
  • View broader context and threat impact
  • Share information

Some organizations continue along the automation path and integrate TIP with SOAR to define automation workflows that respond to incidents. This patch is often complex and requires tight integration between TIP vendor, SOAR vendor, and the multitude of security tools and assets an organization deploys in its security stack. What if there is a better way? Enter the Threat Management System (TMS). This system, as defined by Cyware, incorporates the capabilities of TIP defined above, working in tight coordination with Orchestration capabilities and integrations from over 350 security tools and products to automate intelligent action. A TMS fully automates the entire threat intelligence lifecycle from ingestion, normalization, enrichment, analysis, and dissemination. The academic definition of the end-to-end threat intel lifecycle ends with dissemination which includes the distribution of threat intelligence insight to other functional responsibilities. Dissemination in Cyware’s TMS includes orchestrating actions based on derived threat intelligence insights and tight integrations with any and all security tools. Orchestration in a TMS delivers true end-to-end TI Lifecycle Management. Intelligent action, in a TMS, is not confined to the rigid boundaries of orchestration which defines actions and automation strictly for incident responseOrchestration utility and automated action/response may be extended to all security-responsible functions.  

  

Again returning to the original goal of consuming threat intelligence–enhanced security efficacy–a TMS delivers on this promise.  

View our on-demand webinar where Cyware experts provide an overview of the requirements for an effective Threat Management System.

 Tags

threat intelligence
tip
soar
cyber fusion

Posted on: January 27, 2023

Related Guides

Future-Proofing Security: A Guide to SOC Transformation
Explained: The Role of AI in Cyber Threat Intelligence
What is a TAXII Server? How is it Different from a TAXII Client?
Everything You Need to Know About MITRE ATT&CK Framework
What is Cyber Threat Intelligence Sharing? And Why Should You Care?
Threat Intelligence Processing: The Key to Leveraging Unstructured Data
Why is Correlation the Most Important Phase in Cyber Threat Intelligence Lifecycle?
What is Confidence Scoring in Threat Intelligence?
How to Choose the Best Threat Intelligence Platform for Your Security Team?
How to Build Your Own Cyber Information Sharing Community?
STIX Cybersecurity: A Guide to STIX 2.1
How Can You Tell if Your Cyber Threat Intelligence Program is Working Well?
What is Threat Intelligence Analysis?
What is Threat Intelligence Normalization?
What is Threat Intel Ingestion?
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
What is a Threat Intelligence Platform (TIP)?
Significance of Threat Intelligence Platform (TIP) for Growing Teams
What is the Role of Threat Intelligence Platform (TIP) in a Security Operations Center (SOC)?
What is the Hub and Spoke Information Sharing Model?
Explaining the Pyramid of Pain
What are the Different Use Cases of a TIP?
Why Do MSSPs Need Automation?
What is the Diamond Model of Intrusion Analysis?
The Evolution of Threat Intelligence
Don’t Wait! Leverage Threat Intelligence
Why do Organizations Need to Leverage Actionable Threat Intelligence?
What is Technical Threat Intelligence?
Operational Threat Intelligence: What Is It and Why Is It Important?
What is Tactical Threat Intelligence and Why is it Important?
What is the Threat Intelligence Lifecycle?
Everything You Need to Know About a Threat Intelligence Platform (TIP)
5 Steps to Effective Cyber Threat Intelligence Program
Things to Consider When Choosing the Right Threat Intelligence Platform
Open Source or Commercial Threat Intelligence Platform - Which one is better?
Strategic Threat Intelligence: Why Sharing Is Crucial?
What is Threat Intelligence Management?
Strategic Threat Intelligence vs. Tactical Intelligence
Role of SOAR and TIP in Cyber Fusion
Information Sharing in Cyber Fusion
Role of Threat Intelligence in Cyber Fusion
What is MISP
What is Signals Intelligence (SIGINT)?
What are Indicators of Compromise (IOCs)?
What is Open Indicators of Compromise (OpenIOC) Framework?
What is the Cyber Information Sharing and Collaboration Program (CISCP)?
What is Malware Attribute Enumeration and Characterization (MAEC)?
What is CybOX? How do you use a CybOX object?
How is Surface Web Intelligence different from Dark Web Intelligence?
What is Open Source Intelligence (OSINT)?

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite

Explore Solutions

Capabilities

Resource Library

Use Cases