Threat Intelligence Management – the Foundational Use Case for a TIPANTHONY STITT
I previously talked about how to get started with a threat intelligence program, which is the cornerstone to any security operation. Such a program enables security teams to gain a deeper understanding of adversaries and their tactics, techniques and procedures (TTPs), in order to determine what is relevant to the organization and how to mitigate risk.
Threat Intelligence Platforms (TIPs) allow you to gain better intelligence across the threat spectrum from known to unknown attacks and leverage this intelligence to optimize threat detection and response, preemptive blocking, and patch prioritization. One of the unique benefits of the ThreatQ Platform is that you can address a range of use cases, from the foundational use case for a TIP which is threat intelligence management, to threat hunting, incident response, spear phishing, alert triage and vulnerability management.
Here, I’m going to focus on threat intelligence management, including key ROI areas and metrics.
Defining threat intelligence management
Threat intelligence management is the practice of aggregating, analyzing, enriching and de-duplicating internal and external threat data in order to understand threats to your environment and share that data with a range of systems and users. Historically, security teams have dealt with threat intelligence by hand, manually reviewing, assessing and copying indicators to other systems and tools. Many teams still manage intelligence this way, but the speed of adversary activity and volume of threat intelligence is driving more organizations to collect, manage and use threat intelligence via automation. Most intelligence sources and analyst reports are now API-enabled to automate ingestion of this data, freeing security staff from data-processing activities so they can concentrate on higher-value activities. A TIP enables automated ingestion, improving threat coverage and visibility, so that security teams make better decisions more quickly.
Actionability is also a key problem for threat intelligence programs because of the volume of inbound intelligence and the time it takes threat intelligence analysts to correlate it with the organization’s context. Most intelligence comes with tags, identifiers, attributes, ratings and priorities, but every source uses a different taxonomy, data model and attribute tagging. To solve this problem, TIPs filter and rank threat data using parameters like the organization’s geography, industry, the type of intelligence, where it came from, and a range of other contextual relationships. This process automatically scores incoming intelligence by normalizing all indicators on a single scale using a policy customized for each organization. Scoring deprioritizes 99% of low-relevance information, so your analysts, systems and integrations are working with the highest priority intelligence.
While threat intelligence often comes from external sources, increasingly, organizations are producing and consuming their own intelligence. For a growing number of attacks there is no external threat intelligence available because the attack is new, has been customized for the target or uses any one of a number of obfuscation techniques. In response, defenders now use a range of techniques to detect these attacks like sandboxing / dynamic analysis; phishing email analysis, incident response, threat hunting and alert triage. These activities all produce threat intelligence that is highly relevant because it represents the actual attacks against an organization. But many security teams do not have a process to understand and utilize this internal intelligence, which is one of the things a TIP is designed to do. A TIP aggregates internally gathered threat intelligence with threat data from multiple external sources, consolidates it into a single repository, correlates and prioritizes it, and makes it actionable for all the teams and systems that need it.
As new standards emerge, new frameworks are adopted, new intelligence sources are released, and as other systems change how they create or use threat intelligence, a TIP enables organizations to quickly adapt. The explosion of COVID-19 related threat feeds is a recent example underlining the need to quickly ingest and leverage new threat resources. But every year, adversaries use new methods, news stories or vulnerabilities within their campaigns, and a TIP helps improve the speed and reliability of responding to emerging threats.
Maximizing effectiveness and ROI from threat intelligence management
Threat intelligence management requires that the program is aligned to your organization’s intelligence requirements (IRs) via a well-founded threat model. Intelligence requirements come from a collaboration across the organization’s intelligence stakeholders like the threat intel team, SOC, incident response and threat hunting, as well as the broader business stakeholders. This process documents the assets most valuable to the business and the threats most likely to impact them. From there you can drive the process for determining what intelligence to collect so that you work with the most valuable and relevant data you can.
As you develop the threat model, you also need to consider who you will share threat intelligence with, internally and externally. Large organizations have divisions, subsidiaries, owned entities or sub-groups. The nature of these groups determines the style of sharing. For example, the central threat intel team can provide curated feeds unidirectionally to smaller groups or for blocklists to group wide systems like DNS, firewalls and EDR. Larger or more independent subsidiaries may prefer to share intelligence bidirectionally in a peer-to-peer model over a common “threat fabric”. ThreatQuotient enables intelligence data sharing through ThreatQ Data Exchange.
ROI and metrics
Threat intelligence management allows you to achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures). Here are just a few examples of the ROI areas and metrics for each:
- Strategic: Gain the ability to brief the board/management about the strategic threat landscape relevant to critical business services; Provide assurance about the organization’s ability to map the strategic threat model to a technical day-to-day detection capability; Demonstrate the ability to mitigate risk from adversaries that take advantage of major events or new vulnerabilities to launch campaigns.
- Operational: Share threat intelligence internally and externally to accelerate blocking, detection and response; Reduce risk by being able to ingest more threat intelligence from different sources and score and prioritize to focus on what matters most; Track threats detected by each threat intelligence source to assess value and evaluate new sources.
- Tactical: Calculate threat intelligence processing efficiencies gained by automation versus manual methods; Increase staff satisfaction as measured by a survey of threat intel analysts and related groups before and after using a TIP.
Threat intelligence management allows teams and tools to use collaboration and automation to increase effectiveness, efficiency and productivity. The ROI is significant and meaningful and is just one of the many use cases for a TIP.
In my next blog, I’ll take a closer look at some of the other top use cases you may be focused on today and how threat intelligence and a TIP can help.