What is Threat Intelligence
Threat Intelligence has morphed from a catchy marketing buzzword to a highly sought-after tool, which when used correctly, can bring immense value to an organization. However, because it is in high demand and organizations are researching and adopting it in some form or another, the market has become flooded with products and services promising to provide “Threat Intelligence” to an organization. Unfortunately, in many cases, the “Threat Intelligence” provided is only one piece of a larger puzzle.
When working with Threat Intelligence it is easier to look at it as two separate concepts:
- Threat Data (aka Threat Feeds)
- Threat Context (aka Intelligence)
These concepts combined produce the relevant and actionable “Intelligence” organizations need to better align their security goals with their business’s long-term objectives.
Threat Data is raw data feeds which include artifacts such as malicious IPs or URLs which generally lack context regarding the why behind their motives or malicious behavior. Threat data alone cannot provide the intelligence necessary to make informed decisions regarding the security of our environments, but when paired with Threat Context we are given a clearer picture of its risk towards our organization.
Threat Context is more elusive and is usually where organizations fall short when implementing a Threat Intelligence program. To apply “context” an organization must have a clear goal of what they are trying to achieve by introducing a piece of threat data into their security program. Without a clear vision, threat intelligence can become an expensive drain on resources with little to any real value.
Threat Intelligence Challenges
As more organizations begin to adopt threat intelligence practices into their security programs the need for a more structured implementation path has become greater. Threat intelligence implementation is a marathon process which needs to be carefully planned and executed to ensure it is agile and built on a strong foundation.
Understanding some common challenges organizations have faced while building their threat intelligence program can provide valuable information to those organizations looking to adopt threat intelligence into their security monitoring program.
Does Not Align with Business Goals
One of the biggest mistakes made when implementing a threat intelligence program is the failure to ensure its use is identified by a risk to the business. When evaluating threat intelligence feeds, security teams will want to identify the business problem they will help solve and examine how they will utilize these data sources in conjunction with their internal threat intelligence feeds.
Performing a risk assessment can help identify the risks an organization may face and what can be done to minimize its impact on the business. This practice will arm an organization with valuable information on how best to protect their business and what types of intelligence will make the most impact for their organization.
Choosing the Wrong Intelligence Data
Over the past couple of years, threat intelligence data or feeds have become synonymous with a threat intelligence program. This data is a crucial part of an intelligence program, but without context, an organization runs the risk of adding yet another data source without fully recognizing its value. When evaluating threat intelligence data, consider the following:
- What is the focus?
A majority of threat intelligence feeds focus on a single area of interest such as malicious domains, IP addresses, or hash values. Knowing how these feed types will be utilized within your organization will determine their overall value.
- Where is the information gathered from?
There is an endless number of free and paid threat intelligence subscription services available to take advantage of, but not all data sources are created equal. There are six main types of intelligence data sources to be aware of when evaluating a threat feed:
- open source
- malware processing
- human intelligence
- internal telemetry
Organizations will want to have a good understanding of where these feeds are derived from and ensure, especially if they are delivered via a paid service, that they can be evaluated against their internal intelligence to recognize their maximum potential.
- What frequency are they updated?
Ensuring threat intelligence feeds are updated and relayed at near real-time is an invaluable feature of any reputable data source. Ingesting stale or incomplete data can cause an organization to focus on the wrong objectives which can lead to data overload and alert fatigue.
Asking these questions when evaluating a new threat feed will help identify what sources of intelligence may be the best fit for your business need, but the real value will be displayed through its analysis. Performing proper analysis of a threat intelligence feed is what will provide the context necessary for an organization to make operational changes to better secure their environment. Without analysis, these feeds become another potentially costly, unmanageable source of noise.
Failure to Operationalize Intelligence Data
The ability to utilize threat intelligence data in an operational capacity is the ultimate goal of a threat intelligence program. A successful program will present an organization with greater insight into the potential threats their environment faces and provide its security team a way to prioritize their alerting based on the risk it poses to business. Failure to align an organization’s security program with their business objectives can have a direct impact on the intelligence sources they utilize and how they are able to operationalize their intelligence.
Overcoming these challenges while implementing a threat intelligence program can be tricky. It is an ongoing, and at time tedious, process which if implemented correctly will adapt as your business grows. If you do find yourself up against any of these challenges, take a step back and make sure that the utilization of the intelligence source fits a business objective, is sourced appropriately for its use case, and it can be utilized to make operational changes. If you can answer yes to all of these criteria, you are on your way to achieving a higher cyber threat intelligence.
Is Cyber Threat Intelligence Still Useful?
The importance of information in business in today’s modern world is invaluable. But, in some cases, having large amounts of information coming your way can actually hurt your business. This holds true particularly for organizations that are constantly dealing with the risk of cyber attacks, and every piece of information that could help them prevent those attacks can be of great use to them. This is where cyber threat intelligence comes in, as one of the crucial aspects of developing an effective cyber defense strategy.
But, with so many feeds from various sources at their disposal, determining which information is relevant and credible and distinguishing it from the data that is not essential in regard to a potential cyber threat has become a major challenge for many cyber security professionals. As a result, being able to reduce the noise coming from the flurry of threat intelligence is now key to creating successful security operations.
Overwhelming Amount of Cyber Threat Information
A new study recently conducted by Ponemon Institute LLC, and sponsored by Anomali, reveals that the amount of threat intelligence that cyber security professionals deal with is overwhelming, preventing them from tackling incidents more efficiently.
The study, titled The Value of Threat Intelligence: A Study of North American and United Kingdom Companies, surveyed more than 1,000 professionals from the cyber security industry, with 70 percent of them saying that threat intelligence is often “too voluminous and/or complex to provide actionable intelligence”. This is a figure that should raise a concern, considering that almost half of the respondents (46%) said that incident responders rely on threat data during the incident response process. Furthermore, according to the study, there is too much data to really make sense of if enterprises have a limited resource staff of security operations center analysts or threat analysts.
SIEM Integration Vs IR Orchestration
Cyber security experts agree that in order to be able to use cyber threat intelligence data in an effective and productive way, there must be an SIEM integration in place. However, while 62% of those surveyed said they were aware of this necessity, as many as 64% of them stated that putting such integration in place takes a lot of time and resources, making it a tough feat.
In my corporate experience, the companies that are actually integrating SIEM with CTI, represent a minority. The main challenge of such lack of integration is the impossibility of valorizing the TI Feeds, during an incident. But, there is a new technology trend that addresses this exact problem. There are platforms that are capable of sitting on top of the SIEM, integrating multiple tools from different vendors, which is one of the biggest challenges that threat analysts are faced with. This approach is usually taken during the incident triage phase, it is not intended to be a SIEM replacement but can help SOC and CSIRTs to reduce reaction time and related noise. Such platform fits the Incident Response and SOC Orchestration space, featuring multiple integrations that are easy to use and configure and, nowadays, are probably the only way to reach a near real time- and money-saver incident response, filling the gap that is created when the data sources are originated by different vendors. Such platforms support SIEM integration and could represent a great solution for all entities that are trying to create a successful and affordable cyber defense, by effectively reducing the noise of threat intelligence.
In one of my next columns, I will introduce this paradigm, along with its main potentials in the world of Security Operations and Incident Response. In the meanwhile, you can follow me on our LinkedIn Page, by clicking here.