If you’re wondering what threat intelligence is or if you should be using it, you’re not alone. As cyberattackers become more sophisticated, organizations must prepare for and respond to attacks in a more dynamic and timely manner. The term “threat intelligence” describes information collected and used to pre-emptively adjust security controls in anticipation of new cyberattack methods. When used in conjunction with an organization’s existing security tools and processes, threat intelligence can provide valuable information to help an organization anticipate new or evolving attacks.
Organizations typically buy threat intelligence from third-party providers. Those providers gather information from different types of attacks and correlate it with other sources to provide a more effective base of knowledge on current attacks. Simply receiving threat intelligence information is not enough, though. Purchasing a threat intelligence service without using the information to proactively protect your network is like buying a book and expecting to learn the information without reading it. Taking the following steps can help organizations use threat intelligence more productively.
1. Define what is important.
Threat intelligence must be tailored to an organization’s needs in order for the organization to receive the most benefit. Rules and filters should be set up so the organization receives applicable content. There is no point in receiving threat information about attacks on Unix servers if your organization doesn’t use Unix servers.
Threat intelligence can also be used to detect trends. Make sure to step back from the details and look at the big picture. When analyzing the threat intelligence, ask “Why us?” to try to determine why your organization may be a target. Use that information to help create a more effective risk profile for your business.
2. Be willing to share.
All too commonly, security information is not shared within departments or groups, let alone between companies. An organization’s management team should lead the initiative to share information between groups. Sometimes the best threat intelligence you receive will come from other departments within your own organization. In order to facilitate information sharing, a simple template should be created to distribute information to other departments. Information to be shared should include:
- Actors: Who is the responsible party?
- Actions: What took place during the compromise, and how did it happen?
- Assets: What type of data or system has been affected?
- Attributes: What was the end result of the compromise? What kinds of systems or data were affected and how?
3. Use the threat intelligence.
Threat intelligence is useless if you don’t have staff with a skill set to proactively use the information. In order to be effective, the workflow of an organization’s information security team should include daily analysis of threat intelligence.
However, threat intelligence can only be used proactively if your organization is performing normal security operations correctly to begin with. The best proactive security program in the world is of little use if your organization isn’t patching the servers correctly or performing vulnerability scans on your network.
4. Ramp up slowly.
Threat intelligence is received through technology that logs and monitors security events. It’s important to create effective alerts when implementing any type of logging and monitoring technology. Initial implementation of such a system can flag many false positives and create too many alerts, such as when an unrelated event trips an alarm or when every alert feature is activated. In the security community, this is referred to as “noise.” Noise can get so loud that you cannot “hear” the actual security events you care about. Eventually you get so used to ignoring the noise, you tune everything else out. This renders any type of logging and monitoring system useless.
5. Apply the lessons learned.
If an actual breach or cybersecurity event occurs, do not ignore it and hope it will never happen again. Learn from your mistakes.
Use a report similar to the one used to disseminate threat intelligence to other departments to describe the actors, actions, assets, and attributes related to the event. Discuss the incident with your team to determine what can be done differently to mitigate a similar malicious action in the future. Create a project plan to follow up on the vulnerability. Assign responsibilities to specific individuals to address and remediate the issue.
Once this process is complete, executive leadership and technical staff need to receive reports that summarize the events and show what is being done to prevent a similar malicious act in the future.