The key takeaway from October’s Cybersecurity Awareness Month was the urgent need to make security a priority. To do this, many security operations teams are leaning into threat intelligence to understand specifically where and how to focus their efforts to protect their organisations better.
The SANS 2021 Cyber Threat Intelligence (CTI) Survey found that organisations of all sizes and industries are adopting CTI (cyber threat intelligence) programmes. It reflects a broad-based recognition of the benefits CTI programmes can provide. It is quite an evolution from several years ago when CTI was conducted on an ad-hoc basis.
However, one of the most daunting challenges for analysts is making sense of all the threat intelligence their organisations subscribe to. This is because it comes from a variety of sources – commercial, open-source, government, industry sharing groups and security vendors.
Bombarded by millions of threat data points every day can make it seem impossible to sift through the data to understand and prioritise what matters to the organisation. It is necessary to strengthen defences and accelerate detection and response proactively.
Here are five best practice tips to help.
Select the right sources of threat data for your organisation.
Not all threat intelligence is equal. Threat intelligence that is of value to one organisation may not be of value to another. Value comes down to relevance and accessibility. It requires curation into a customised enrichment source, aggregating data filtered by a range of factors. Among these are industry/geography, the firm’s environment and infrastructure, the third parties the organisation works with, and the organisation’s risk profile.
An often-overlooked source of threat intelligence is data housed within various organisational systems and tools. And it’s free! It starts with internal data, events and telemetry. Supplement it with external data to contextualise information from internal systems. This enables the organisation to understand the relevance and focus on what’s a high priority for the company.
Determine who will acquire the data.
It may be good practice to provide access to threat data to a broad audience. However, it is probably better to have one team responsible for acquiring and analysing threat intelligence. They can focus on only delivering information that is actionable.
Not every stakeholder needs every level of intelligence. Think about how the same report will impact and be used by various teams across the organisation. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes. For example, modifying policy (strategic), launching hunting campaigns (operational) or disseminating technical indicators (tactical).
Structure the data for analysis.
Threat data comes in various formats. For example, STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules, and Snort signatures. Once gathered, it needs to be normalised, and it isn’t just about the format.
The volume of information across the threat intel landscape is high. Different groups use different names to refer to the same thing. Normalisation compensates for this and enables teams to aggregate and organise information quickly. A threat intelligence platform (TIP) that automatically ingests and normalises data, structuring it uniformly so that the team can contextualise and prioritise it, is critical for triage and ensures they are focusing on the threats that matter most.
Use tools to help with analysis.
Analysis is quite a challenge, particularly during a big event. A TIP does a good job of extracting context. It can help teams use the information in various ways for different use cases (e.g., alert triage, threat hunting, spear phishing, incident response). The data can then be used to support different outcomes.
It is important that the platform selected works well with frameworks like MITRE ATT&CK. It ensures the organisation can understand which adversaries might be targeting high-value data, the tactics, techniques and procedures (TTPs) to concentrate on, and what actions to take.
Select the right tools to help make data actionable.
Analysis enables prioritisation so the organisation can determine the appropriate actions to take. An open platform that supports bi-directional integration with the security infrastructure allows the organisation’s threat intelligence programme elements to become actionable.
Teams can share intelligence in the right way with the right teams to achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures) to maximise value.
The above key points can help analysts better understand where to prioritise their activities to get more out of their threat intelligence. It ensures they can successfully defeat the adversaries before they are negatively impacted or lose any data.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.
