Managing threat intelligence is like walking on a tightrope. To stay steady, you have to maintain balance between too little intelligence and too much; you run the risk of toppling off that tightrope and injuring the business, metaphorically speaking. If you swing too far towards gathering too little threat intelligence, you might not spot attacks until it’s too late. If you veer towards over-collecting threat intel, you’ll overwhelm teams and technology with too much data.
Either way, your balance will suffer, especially if your security team is erring on the “too much” data side. Analyst group 451 Research, surveying security leaders for its report Tackling the Visibility Gap in Information Security, found that 49% of enterprises using SIEM, EDR, and other security tools were overwhelmed by the day-to-day operation of managing and ingesting threat feeds into their growing technology stack.
But there are ways to successfully stand straight and tall on that security tightrope. The four steps below can keep your security team focused on the intelligence that tells them where attackers are and how they’re attempting to break in. When security teams aren’t buried under the data avalanche, they can better evaluate threat intelligence, improve visibility, and accelerate detection and response by focusing on higher fidelity events in their environment. They can also review threat intelligence solutions regularly to make sure they’re operating as expected.
In this step, your security teams need to collect intelligence that’s most meaningful for your industry and align it with similarly relevant frameworks and issues. For example, you can do research on feeds with the highest fidelity, accuracy, and timeliness in your field. If you need help, look to sources such as SANS and DHS and Information Sharing and Analysis Center (ISAC) feeds. In addition, you should look for security frameworks that align with the tactics of your industry’s common attackers. Start with MITRE ATT&CK® since it offers a detailed framework.
When possible, enable alert-level automation at this stage by filtering threat intelligence into investigations and automatically pull relevant artifacts from multiple technologies so your security team can prioritize and complete investigations faster, in one central place.
If your threat intelligence helps you figure out how to thwart attackers before they do damage, you’re ahead of the game. You can benefit from the knowledge that similar organizations have amassed (that is, the data feeds discussed above) to get proactive. For example, you can add controls to prevent threats from executing, or add block lists to firewalls and proxies that are dynamically updated with the collected threat intelligence. In addition, your team can leverage the threat intelligence in threat hunts to identify the “low hanging fruit” pathways that attackers take, then block them: If intelligence tells you that attackers try to obtain administrative privileges, limit which users have these permissions.
Your security team’s goal should be to gather threat intelligence with only the cream-of-the-crop information. Automation is an important part of this process: It can aggregate, de-dupe, and rank threat intel much faster than your team members can do manually. The resulting high-fidelity intel feed will help improve detection and minimize false positives. You’ll also get a better handle on the behavioral patterns of potential attackers – and when attackers refine or pivot their techniques, you’ll know right away.
Then, it’s important to test that your detection controls are working properly with automated, continuous attack simulations. If the control isn’t working, attack simulations allow you to identify why and course correct to avoid misconfigurations or improper tuning in the environment.
When attacks happen, you’ll want the security team to create a plan of action that’s backed by confidence. Automation helps you build this assurance by enriching the analysis process and quickly gathering information. With enriched analysis, your team gains context around threat data. By building knowledge of an entire attack chain, for example, you gain a view into known behaviors to search for before and after detection.
These steps represent a critical phase in your journey towards reducing security complexity, improving detection and response, and increasing your team’s efficiency. Once you put these steps into practice and regularly reevaluate your processes, you can minimize risk and reduce the possible financial and operational impacts of attacks.
For more guidance on managing threat intelligence, get the white paper, Maximize Your Threat Intelligence: Four Proven Steps to Integrating Threat Intelligence for Higher-Fidelity Detection and Response.
Casey Martin, Vice President of Threat Intelligence and Detection, joined ReliaQuest in 2014 and has operated in all areas of security operations, including previously acting as the Director of Security Operations. As VP of Threat Research, Casey leads the innovation and delivery of cutting-edge detection and response capabilities within the ReliaQuest GreyMatter platform. Prior to ReliaQuest, Casey held security roles in the energy and higher education industries, which was made possible through his education at the Rochester Institute of Technology.