5 Best Practices to Get More from Threat IntelligenceAUDREY LLORENS
As we wrap up Cybersecurity Awareness Month 2021, this week’s theme, Cybersecurity First, is all about making security a priority. To do this, many security operations teams are leaning into threat intelligence to understand specifically where and how to focus their efforts to better protect their organizations. In fact, the SANS 2021 Cyber Threat Intelligence (CTI) Survey found that organizations of all sizes and across all industries are adopting CTI programs, reflecting broad-based recognition of the benefits CTI programs can provide. This is quite an evolution from a handful of years ago when CTI was conducted on an ad-hoc basis.
However, now one of the most daunting challenges for analysts is making sense of all the threat intelligence their organizations subscribe to from a variety of sources – commercial, open source, government, industry sharing groups and security vendors. Bombarded by millions of threat data points every day, it can seem impossible to sift through it all to understand and prioritize what matters to your organization so you can proactively strengthen defenses and accelerate detection and response.
Here are 5 best practices to help.
- Select the right sources of threat data for your organization.
Not all threat intelligence is equal: threat intelligence that is of value to your organization, may not be of value to another. Value comes down to relevance and accessibility, which requires curation into a customized enrichment source, aggregating data filtered by a range of factors including: industry/geography, your environment and infrastructure, the third parties your organization works with, and your organization’s risk profile. An often-overlooked source of threat intelligence is data housed within various systems and tools across your organization. And it’s free! In fact, starting with internal data, events and telemetry, and supplementing with external data to contextualize information from internal systems, enables you to understand relevance and focus on what’s high priority for your organization.
- Determine who will acquire the data.
While it may be good to provide access to threat data to a broad audience, it is probably even better to have one team responsible for acquiring and analyzing threat intelligence and only delivering information that is actionable. Not every stakeholder needs every level of intelligence so think about how the same report will impact and be used by various teams across the organization. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes, for example modifying policy (strategic), launching hunting campaigns (operational) or disseminating technical indicators (tactical).
- Structure the data for analysis.
Threat data comes in various formats (e.g., STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules and Snort signatures) and needs to be normalized. And it isn’t just about format. The volume of information across the threat intel landscape is high and different groups use different names to refer to the same thing. Normalization compensates for this and enables you to aggregate and organize information quickly. A threat intelligence platform (TIP) that automatically ingests and normalizes data, structuring it uniformly so that you can contextualize and prioritize it, is critical for triage and ensures you are focusing on the threats that matter most.
- Use tools to help with analysis.
Analysis is quite a challenge, particularly during a big event. A TIP does a good job of extracting context and can help you use the information in various ways for different use cases (e.g., alert triage, threat hunting, spear phishing, incident response) and to support different outcomes. It is also important that the platform you select works well with frameworks like MITRE ATT&CK so you can understand which adversaries might be targeting your high-value data, the tactics, techniques and procedures (TTPs) to concentrate on, and what actions to take.
- Select the right tools to help make data actionable.
Analysis enables prioritization so you can determine the appropriate actions to take. With a platform that is open and supports bi-directional integration with your security infrastructure, the elements of your threat intelligence program become actionable. You can share intelligence in the right way with the right teams to achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures) to maximize value.
To learn more about these best practices, watch a replay of our CyberSocial webcast, where industry experts David Grout, CTO EMEA for FireEye and Yann Le Borgne, Technical Director for ThreatQuotient Europe, help listeners tackle the challenge of maximizing the value of threat intelligence. Using threat reports as an example of one type of published threat information, they respond to real-time polling results from viewers as they provide advice on how to analyze a threat report and make it actionable.