Creating a Successful Threat Intelligence Program
The foundation of any effective security program is cyber threat intelligence. Organizations that adopt threat intelligence as part of their overall cybersecurity strategy find themselves better prepared to respond to emerging threats and avoid costly mistakes.
To effectively protect an organization and its sensitive information, you need to know what active threats and malicious entities security teams may face. This means you must collect, analyze, and share threat intelligence to detect attacks and take action against them quickly.
Your ability to effectively secure your network depends directly on the quality and timeliness of your threat intelligence. Intelligence analysts need curated, relevant threat data to protect their organizations’ most valuable resources from persistent threats.
Cyber threats are relentless and constantly evolving. Cyber threat intelligence provides intelligence teams with critical insights into advanced adversaries and the insights needed to inform internal resources and security technologies to protect themselves from cyber-attacks. Staying ahead of external threats requires a holistic threat intelligence program encompassing security operations to understand adversary behaviors and gain a complete picture of the overarching risks.
Where to Begin
Set a Goal:
Start with a goal to set expectations around what you want to do with the collected cyber threat information to keep your organization safe. Make sure it’s attainable and actionable; otherwise, it might become noise.
Who within your organization will be consuming threat intel and reports? You’ll need to inform security analysts cross-functionally, the C-suite, and your board. But you must ensure the intelligence is timely, relevant, and actionable to make informed decisions.
Understand Your Threat Landscape:
You need to understand your attack surface, your vulnerabilities, and the threats that could be targeting your security environment. You also need to review current security practices and what security tools and architecture you use to protect your most valuable assets against potential threats.
Cyber threats are relentless and constantly evolving. Staying ahead requires advanced automation and a holistic threat intelligence program (TIP), which lead to a strategic advantage. There are three main pillars to help your organization advance up the maturity curve: people, process, and technology.
People: Identify stakeholders for reporting and feedback in mapping out a process that effectively channels intelligence.
Process: Processes that take threat intelligence to a more strategic level must be developed and agreed upon cross-functionally.
Technology: The technology used should deliver on the processes outlined to ensure it supports organizational goals.
Climbing the Threat Intel Maturity Curve
While all organizations are at a unique level of development in their threat intelligence program, take general steps to determine where you are now and what is needed to evolve your program.
Threat Data Collection
Raw data collection is the beginning of any intelligence-gathering process. The relevancy of the data is critical, coming from external and internal sources, including open-source and commercial threat intelligence feeds. External data may include reports on IoCs (e.g., ISACs, Dark Web, vendors, clients, etc.) relevant to organizational vulnerabilities. Internal data is just as necessary as it informs intelligence with business-specific threats. Even at the beginning stage of a program, feedback from internal teams that have experienced a security incident should inform threat intelligence feeds to ensure they are relevant to the business.
Threat Data Processing
The next stage of development is processing or curating the data of relevant threats based on the complete environment. Even when using only the most relevant sources for incoming data, the volume can be overwhelming, and automation is essential. Security tools can save analysts time by automatically weeding through the data for actionable information. Based on the organization’s threat experience, well-targeted criteria will optimize this curation, enabling the automation to filter out the noise and produce practical intelligence.
Threat Intelligence Integration
As threat intelligence is a shared resource essential to stakeholders in different business functions, integrating systems will enable more relevant reporting and a better flow of feedback to improve intelligence gathering. A solid configuration management database (CMDB) and vulnerability management program are fundamental to successfully integrating systems and processes. Forming a Digital Forensics Investigations team that runs intel feeds against the complete environment can add significantly to actionable cyber threat intelligence.
Once the integration is complete and your organization operates based on the latest threat intelligence, threats can be identified and blocked quickly. In addition to a faster response, insights into the capabilities of threat actors can be gained to thwart attacks at an earlier stage and before they enter the network.
Another advantage of comprehensive integration is the convergence of physical with logical security. A simple use case would be if someone badged into a facility and then got on the virtual private network (VPN). The system could raise a flag that an employee within the firewall should not need to access the VPN. The odd behavior could be due to a stolen badge or malicious cyber activity. Either way, it would trigger an alert.
Measuring Threat Intel Effectiveness
Measuring effectiveness is a pillar of a mature threat intelligence program. The two main types of metrics are the organization’s security posture and the team’s efficacy in doing their job. The benefits of tracking these areas are better cybersecurity, greater resource productivity, the justification of current and future threat intelligence investments, and feedback for continual improvement.
The main focus for measuring effectiveness is to add value, so your organization can take action, not simply tally threats found. The tracking process doesn’t matter more than what is being tracked. A baseline measurement should be set to compare against improvements, and the tracked metrics should be those your security team has direct control over. Specific measurements may include time to IoC response, the number of campaigns tracked, feed efficacy, etc.
Strategic Use of Intelligence
The ultimate test of a cyber threat intelligence maturity assessment is whether or not the program is being used strategically. On the cybersecurity front, this would include moving to the ‘who and why’ of threat actors from just the ‘what,’ seeing trends in the threat landscape, and weighing the opportunity costs of taking action. On a business level, threat intelligence maturity can lead to collaboration across functional teams, company-wide involvement in technology investment, better risk management, and strategic planning. An effective threat intelligence program can even become a competitive advantage, assuring customers of their data security and protecting a company from devastating breaches.
Threat Intelligence Management Solutions
Most security teams turn to threat intelligence solutions like Threat Intelligence Platforms (TIPs) or Threat Intelligence Management solutions to help. Solutions like Anomali ThreatStream, automate the collection and processing of raw data to transform it into actionable threat intelligence for security teams to make faster decisions. ThreatStream helps build relationships between the various pieces of data to minimize false positives to better prioritize and respond to threats and increase analyst productivity with real-time information, resulting in the following:
- Automated correlation of data with threat intel
- Contextual analysis
- Generated alerts
- Confidence scoring
Hear more from industry expert Jimmie Owens, CISO and Vice President, Enterprise Security, at DXC Technology, as he shares his insights and journey in cyber threat intelligence through various industries and organization types. Watch the webinar, Climbing the Threat Intelligence Maturity Curve today.