“Threat Intelligence” seems like a pretty common buzzword these days. Pretty much everyone security vendor says they have threat intelligence.
But, what is it, and is it enough to just ‘have’ threat intelligence?
Wikipedia defines threat intelligence as “Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace. Cyber threat intelligence sources include open-source intelligence, social media intelligence, human Intelligence, technical intelligence or intelligence from the deep and dark web”.
Basically, it is taking any information that can be found about cyber threats and attacks and synthesizing it into ‘something’. That something should be actionable.
For example, we have threat intelligence identifying known threat actors targeting Microsoft Exchange. Assuming we use Microsoft Exchange, what do we do with the intelligence? Is our Exchange exposed to the internet? What can we do to defend or better protect our Exchange implementation? Or confirm if it has already been compromised?
Many organizations subscribe to threat intelligence feeds. While that is a good start, it is only helpful if you also correlate that information with your own network and validate if there is an actual threat. Often, we find that people subscribe to threat feeds to ‘check a box’, and while they may have some analysts who review the feeds now and then, the intelligence is not operational.
How do we operationalize threat intelligence?
Operational threat intelligence starts with preparation. Following NIST’s Cyber Security Framework (CSF) would be a good place to start. Identify assets and policies. Are they adequately protected? Are measures in place to detect threats? Are plans developed to respond and recover to issues?
Is our Microsoft Exchange patched? Do we have an established measurable program to validate and govern that patching? When the threat feeds give us indicators of compromise (IOCs), can we use them? If the worst happens, can we mobilize and respond and recover with enough agility to minimize damage?
If we cannot make threat feeds drive appropriate actions, threat intelligence is of little value – it is essentially like a person hearing the weather report for rain, yet not wearing a raincoat or grabbing an umbrella. They are going to get wet.
Foresite’s ProVision can help you utilize IOCs and make them matter.