The rising value of information, the increased connectivity of systems, and the rapid uptake of cloud computing technology are significantly expanding the threat from cybercriminals and hostile groups, both in magnitude and severity. To mitigate this risk and build effective defenses, organizations must have a better understanding of their adversary: their objectives, their capabilities, their strategies, and their likely tactics. This is where threat intelligence (TI) comes in.
TI is evidence-based, contextualized information about adversarial threats — their past, present, and predicted attacks against the organization, produced after careful analysis of available data and information. It helps analyze the different ways in which a threat actor can attack an organization, provides actionable advice on how to defend against these attacks, supplies guidance on allocation of resources, and explains mechanisms behind an attack.
If your security team is considering, planning, building, or operating a TI capability, here is some practical guidance that can help.
1. Develop Organization Structures and Define Requirements
Design a structure for the TI capability that aligns with the overarching corporate structure and helps determine the type of intelligence required. Define a set of prioritized intelligence requirements (PIRs) and specific intelligence requirements (SIRs) that help direct the intelligence effort efficiently.
2. Build a Team
People are an integral part of any intelligence effort. Most security solutions are siloed, and analysts are needed to connect the dots. Start by outlining roles and responsibilities, clarify the core skills that are needed (strategic, tactical, operational), and commence assembling a team that is in line with the program vision.
3. Ensure Alignment With Business
Don't forget that intelligence is a support function. The TI team must understand business objectives first and then align their operations and efforts to support the business. Furthermore, TI teams will need the support, trust, blessing, and collaboration from business teams to further their own efforts. Establishing focus groups or collaborative forums will ensure alignment is maintained between TI teams and relevant business units.
4. Consider Levels of Outsourcing Required
While the primary source of TI is typically an organization's own internal network and systems (DNS logs, firewall logs, SIEM data, etc.), secondary sources can include global threat databases; commercial sources of TI, like TI feeds, STIX, and TAXII; information collected by sensors, honeypots, and Web crawlers; hacking forums; and other partnerships or community alliances. Always be clear on business requirements, service design, and team structures before considering outsourcing. Also ensure outsourced providers have a clear understanding of the organization's expectations when it comes to TI.
5. Automate Processing Functions
Security analysts and incident responders can receive thousands of alerts per day from their security infrastructure. As a result, they spend a significant portion of their time in detection, triage, and investigation. Ideally, the processing and analysis of TI should happen automatically so that analysts are more productive, time-sensitive TI immediately reaches all stakeholders, and action is taken on time. Only consider automation of processes that are mature (defined, repeatable, and measurable), and don't forget to calibrate the accuracy and relevance of incoming information and data that is processed via automation. Failure to do so will lead to a result more detrimental than helpful.
6. Collaborate and Share Information Outside the Organization
With threat actors becoming more sophisticated by the minute, it is essential that organizations share intelligence and leverage the community's knowledge to improve their security posture and implement both timely and adequate defensive measures. By sharing and exchanging TI, organizations not only leverage a broad set of insights that they may have not seen previously, but they also improve trust, relationships, and collaboration among their peers. But first be clear on corporate policy surrounding external sharing before entering into any agreements. Determine upfront the types of information the organization is willing and unwilling to share.
7. Measure TI's Effectiveness
Having TI is great, but the key question is, is it being used effectively? There are three main evaluation parameters of TI effectiveness:
- Intelligence quality: Is it relevant, timely, actionable, and accurate?
- Intelligence usage: How well is the intelligence consumed and applied?
- Legal aspects: The TI program must be in compliance with applicable laws, such as GDPR.
TI teams must identify tangible and intangible measures of success, working with business teams and partners to constantly fine-tune and improve their programs.
TI isn't something that can be bought (although it can be augmented through commercial intelligence) — it needs to be developed as a capability. Organizations must consider the triad of people, process, and technology: People are an integral part of the intelligence cycle, processes are needed for TI's production and dissemination, and technology is needed to triage vast quantities of incoming information and to influence the ongoing development of threat intelligence.