In the 2016 Ponemon Study on threat intelligence, 78% of respondents polled agreed that threat intelligence was essential to a strong security posture.
However, from that same report, 70% of respondents also stated that threat intelligence is often too voluminous or complex to provide actionable information.
Why then, if organisations find this data challenging to digest are threat intelligence programs still worthwhile for organisations to develop? Regardless of the size or bandwidth of an organisation it can provide value through:
- Improved visibility and situational awareness.
- Increased response efficiency.
- A method to identify malicious activity that other technologies may have missed.
Threat intelligence can no longer be considered as a “nice to have”, it should be a critical component of any security posture. There are many aspects of managing threat intelligence to take your program from TAXII to take-off.
More information means better security coverage, right?
First and foremost, you’ll need to gather information. The most common way to start gathering this is to start collecting data from open source threat intelligence feeds, which provide information on a broad range of topics.
>See also: The value of sharing threat intelligence
However, not all of these feeds will be relevant to your organisation, and pulling information from as many as possible will likely result in data overload.
More information, does not equate to better security coverage, as there is no guarantee that it will be usable. While duplicate data, lack of context and a high number of false positives further complicate the collection process. Fortunately, there are some ways to make this data more usable, integrating and contextualising it.
How my analysts are spending their time is efficient, right?
Adding context where there is little or none is perhaps the most important next step in getting your threat intelligence program underway. For example, knowing that an IP is reportedly malicious is beneficial but not as effective as knowing who or what else that IP is associated with. To help, there are numerous free or paid websites available that can provide additional context, such as SHODAN, VirusTotal, Malwr, IPVoid, threatminer, DomainTools.
But this is not the most efficient way of utilising analysts’ time, there is a significant drawback to the amount of time it takes to copy and paste into each tool and then collect insights from many different resources. Automation is key. This is possible with APIs, product integrations, or specific tools designed to aid in this area such as threat intelligence platform (TIP) providers.
My threat intelligence needs are simple, right?
While there are tools that are highly beneficial in regard to price, community support, plugins and tool integrations, they don’t come without challenges. Free and open source resources that help collect and manage gathered intelligence, such as CIF, CRITS, MISP, YETI, STAXX, Cuckoo and the Modern HoneyNet.
But users must self-support and self-maintain these platforms in their environments that can require additional effort, and sometimes integrations and plugins can sometimes go dormant. So while they can certainly help manage and curate intelligence, they won’t address all the key challenges in making intelligence data actionable for the majority of organisations.
Before investing in a threat intelligence its essential to understand your business needs, what you are trying to get out of the information you’ll collect and what available internal resources you have to provide support and maintenance for the tools and platforms under consideration.
My analysts are as efficient as they can be, right?
While systems don’t have to be complicated, it is an imperative step to ensure that those using the feeds and platforms you’ve chosen are fully trained. You don’t necessarily need a full-time analyst on staff straight away, your threat intelligence function may simply be a special function within the Security Operations Centre (SOC), or an Incident Response team, or it could exist as its own separate function.
Training can be done via teaching individuals on threat intelligence principles and involving personnel in daily intelligence generation and analysis. As well as through books, webinars, events, and online videos, to continually ensure that they can be as effective as possible.
Starting a threat intelligence program can be relatively straightforward if you know what resources to use and what potential drawbacks to watch out for. Remember that threat feeds themselves are not intelligence and not everything will be relevant to your organisation. Applying contextual details must be prioritised where possible.
Understanding your own environment, the attacks you see, and extrapolating meaning from the data available regarding those attacks is the perfect foundation for a functional threat intelligence program.
Sourced from Niall MacLeod, engineering manager EMEA at Anomali