For organizations struggling to defend against today's onslaught of cyberattacks, data can be both a blessing and a curse. Companies rely on data they get from outside sources, such as Cybersecurity and Infrastructure Security Agency (CISA) alerts, vendors, and threat intelligence feeds. However, all that information can be overwhelming if you don't know how to use it. Meanwhile, companies often overlook important data that resides inside their own environments.
To use threat intelligence effectively, you first need to understand what's happening inside your own environment and how your employees use network resources. With this context, you can interpret, tailor, and apply threat intelligence in a way that is specific and unique to your organization. This bespoke baseline enables you to identify anomalies in your environment and the issues they pose. All the outside threat data in the world won't help you if you don't know what your internal systems are supposed to be doing.
In general, there is too much reliance on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security craftsmanship. As security professionals, it's not our job to stare at the great and powerful Oz but to look behind the curtain.
For example, antivirus and endpoint detection and response (EDR) tools help security teams reduce the noise of logs, keep an eye on endpoints, and identify known threats, but they won't identify all the threats in your environment. Relying on traditional tools alone is practically a guarantee of failure. Sophisticated attackers reverse engineer the same tools you rely on to protect your systems. They know how those tools work, what their capabilities are, and what their weaknesses are. Why should the attacker know more about your systems than your security team does?
Use these tips for turning your threat intel into security knowledge:
1. Use multiple sources of data. By all means, take advantage of threat intel feeds and CISA alerts, but know their limitations. Threat intel feeds have limited types of information — tactics, techniques, IP addresses, domain names, or file hashes — and by the time you get the alerts, the information can be months old. New information needs to be leveraged against not only the way your systems are today but the way they were in the past. By being able to view insights across time, you achieve a new level of security awareness and confidence in your continuous security integrity.
2. Make the data actionable. Security professionals often don't see threat intel as valuable because it typically lacks context. A list of IP addresses is just data if you don't understand why (and when) the addresses are considered bad. Organizations often subscribe to more than a dozen feeds, which means they will get potentially millions of pieces of information daily. The majority of this information will either lead to false positives or be irrelevant to the organization's business. The cost of this is twofold. First, there is the cost of using this information in your security gear. Imagine trying to match millions of indicators of compromise against log volume from EDR, network detection and response, and intrusion detection systems. There is also a cost associated with dealing with those red herrings.
The best solution is to consider threat intel obtained from third parties as a springboard for analysis, not the end result. For example, a feed may indicate that a file with a particular MD5 hash is malicious. While your systems may not have that exact file on them, they could have variants that are unknown to the feed provider. Understanding the similarities and connections of what exists in your environment and how far removed they are from data in threat intel feeds is the next evolutionary step in becoming a true security practitioner.
3. Adopt a security knowledge mindset. Threat intel is not something you have, it's something you do. Don't blindly buy a security product just because it's there; understand how it works and what its limitations are. Ask yourself the question, "How might an attacker evade it?" Security consumers would never ask questions like that, while practitioners engage across teams and functions. They break through team-siloed thinking and facilitate bidirectional sharing of knowledge. What one incident responder may attribute to "strange activity" might shed light on an active threat research case.
Functional walls around security operations center (SOC), incident response, and research teams interfere with effective communication and information sharing. All three should feed information to each other in real time. They use different tools. For example, SOCs use SIEMs, IR uses forensic tools, threat intel folks use threat intel platforms. Executives need to formalize an operational structure that breaks down the silos and reduces tool fragmentation that prohibits security knowledge between teams.
Threat intel is a good thing, but if you're locked in a silo, its effectiveness is diminished. If you can break out of the silos and apply context, intelligence can be transformed into actionable security knowledge that's specific to your organization. And to make it happen, a top-down appreciation of the value of this is required from the CEO and board of directors all the way through to the security practitioners.