Five best practices to get more from Threat Intelligence
The key takeaway from October’s Cybersecurity Awareness Month was the urgent need to make security a priority. To do this, many security operations teams are leaning into threat intelligence to understand specifically where and how to focus their efforts to better protect their organizations.
In fact, the SANS 2021 Cyber Threat Intelligence (CTI) Survey found that organizations of all sizes and across all industries are adopting CTI (cyber threat intelligence) programs, reflecting broad-based recognition of the benefits CTI programs can provide. This is quite an evolution from several years ago when CTI was conducted on an ad-hoc basis.
However, one of the most daunting challenges for analysts is making sense of all the threat intelligence their organizations subscribe to from a variety of sources -- commercial, open source, government, industry sharing groups and security vendors.
Bombarded by millions of threat data points every day, it can seem impossible to sift through it all to understand and prioritize what matters to the organization in order to proactively strengthen defenses and accelerate detection and response.
Here are five best practice tips to help.
- Select the right sources of threat data for your organization
Not all threat intelligence is equal: threat intelligence that is of value to one organization, may not be of value to another. Value comes down to relevance and accessibility, which requires curation into a customized enrichment source, aggregating data filtered by a range of factors, including: industry/geography, the firm’s environment and infrastructure, the third parties the organization works with, and the organization's risk profile. An often-overlooked source of threat intelligence is data housed within various systems and tools across the organization. And it’s free!
In fact, starting with internal data, events and telemetry, and supplementing with external data to contextualize information from internal systems, enables the organization to understand relevance and focus on what’s high priority for the company.
2. Determine who will acquire the data
While it may be good to provide access to threat data to a broad audience, it is probably even better to have one team responsible for acquiring and analyzing threat intelligence and only delivering information that is actionable. Not every stakeholder needs every level of intelligence so think about how the same report will impact and be used by various teams across the organization. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes, for example modifying policy (strategic), launching hunting campaigns (operational) or disseminating technical indicators (tactical).
3. Structure the data for analysis
Threat data comes in various formats (e.g., STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules and Snort signatures) and needs to be normalized. And it isn’t just about format. The volume of information across the threat intel landscape is high and different groups use different names to refer to the same thing. Normalization compensates for this and enables teams to aggregate and organize information quickly. A threat intelligence platform (TIP) that automatically ingests and normalizes data, structuring it uniformly so that the team can contextualize and prioritize it, is critical for triage and ensures they are focusing on the threats that matter most.
4. Use tools to help with analysis
Analysis is quite a challenge, particularly during a big event. A TIP does a good job of extracting context and can help teams use the information in various ways for different use cases (e.g., alert triage, threat hunting, spear phishing, incident response) and to support different outcomes. It is also important that the platform selected works well with frameworks like MITRE ATT&CK so the organization can understand which adversaries might be targeting high-value data, the tactics, techniques and procedures (TTPs) to concentrate on, and what actions to take.
5. Select the right tools to help make data actionable
Analysis enables prioritization so the organization can determine the appropriate actions to take. With a platform that is open and supports bi-directional integration with the security infrastructure, the elements of the organization’s threat intelligence program become actionable. Teams can share intelligence in the right way with the right teams to achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures) to maximize value.
Hopefully the above key points will help analysts to understand better where to prioritize their activities in order to get more out of their threat intelligence and successfully defeat the adversaries before they are negatively impacted or lose any data.
Photo Credit: lolloj/Shutterstock
Anthony Perridge is VP International at ThreatQuotient