Cyber threat intelligence programs play a foundational role in protecting modern enterprises from cyberattacks, informing security priorities, data collection, and decision-making. This blog introduces some of the key concepts and how to get started with cyber threat intelligence.
What is cyber threat intelligence?
Cyber threat intelligence is the process of collecting, processing and analyzing information about threat actors, their motivations, tactics, techniques, procedures (TTPs), and known indicators of compromise within the context of your business. The goal of cyber threat intelligence is to inform decision-making across IT, security, and leadership organizations in order to prevent a cyberattack.
Aligning your threat intelligence program to a formal framework, like MITRE ATT&CK, can add structure and focus to threat intelligence data collection and capability development and is a key part of your managed detection and response program. The ATT&CK framework will also give you greater visibility earlier in the kill chain, alerting you to suspicious activity, so you can implement countermeasures before an attack is fully realized.
Find out more about Kudelski Security’s Threat Navigator – a tool to help you understand and eliminate the gaps in your ATT&CK technique detection capabilities.
Why do you need cyber threat intelligence?
Security teams need cyber threat intelligence to improve security visibility, speed time to detection and response, and make more informed business decisions. With threat intelligence, instead of “waiting” for a security incident to occur, you will have security controls and defenses that are aligned to the known threats, TTPs, and IOCs for your business.
What role does cyber threat intelligence play in business risk management?
Cyber threat intelligence will play an increasingly important role in business risk management as the era of digital transformation forges on. Technology is becoming more and more entwined with the business, and that means cybersecurity risk is now business risk.
No industry is immune to digital transformation, even traditionally walled-off ICS and OT environments. Moreover, employees are increasingly working from anywhere, anytime, with any device. Threat actors now have even more targets and more incentive to carry out attacks.
Every operational team, SOC, CSIRT, and CERT needs to know how the threat landscape is evolving and the TTPs threat actors are using. They need to be able to correlate cybersecurity risks to business risks — risks like service disruption, brand reputation, and legal and financial impacts.
In other words, they need to develop strong threat intelligence practices.
Planning your threat intelligence program: five key questions
Getting started with threat intelligence requires you to define the program’s objectives, target audiences, use cases, and roles and responsibilities. In this planning stage, make sure you take time to think through, document, and get buy-in for the following questions before investing further in the program.
Question One: What is the objective of the cyber threat intelligence program?
The objective of a threat intelligence program will be unique to your organization, taking into account factors like industry, geography, business model, risk tolerance, and strategic goals. For some, the threat intelligence program may be driven by the need to reduce financial risk, others may be more concerned with protecting their brand reputation, and others, like those in ICS and OT fields, may be concerned about safety and service delivery.
The objective every cyber threat intelligence program will have in common, however, is the desire to link security initiatives to business-specific risks.
Question Two: Who is the target audience of cyber threat intelligence?
Cyber threat intelligence can have multiple target audiences across IT, security, and leadership roles. The intelligence will need to be tailored to each audience as their needs and objectives will be different.
- Security and IT analysts, architects, and build teams will need more tactical threat intelligence that helps them better understand and anticipate TTPs and build the right defenses to protect the organization from attack.
- Operations, SOC managers, threat hunters, and incident responders will need operational threat intelligence that helps them understand the context, timing, and nature of an attack, allowing for more focused, effective threat monitoring and reporting.
- Executives, boards, and VPs will need more strategic threat intelligence that adds content around risks and exposures to help them make more informed decisions for the business.
Question Three: What are the use cases for cyber threat intelligence?
The use cases for cyber threat intelligence span from tactical (e.g., real-time security alerts), to operational (e.g., patch prioritization), to strategic (e.g., proactive threat hunting). All have the ultimate goal of preventing a cyberattack.
Early on, when the maturity of your threat intelligence program is low, your use cases will likely be more simple and tactical — setting up threat feeds, configuring your SIEM, and automating malware analysis. As you expand your capabilities, you can move into more difficult and strategic use cases — vulnerability management, patch prioritization, risk analysis, and decision-making.
Question Four: What level of integration with my security controls/solution do I need?
The security controls and solutions you have in place (e.g., SIEM, Ticketing Systems, SOAR, or XDR) can influence your cyber threat intelligence program. Threat Intelligence as a standalone platform makes sense, but its potential can be increased tenfold when integrating it with other security solutions that allow automatic enrichment and security workflows for orchestration and automation.
This is achieved in two ways:
- If you already have security solutions that allow threat intelligence feeds, which platform(s) are these solutions able to support?
- If you are thinking about acquiring security solutions that may orchestrate or automate part of your security operations, have a look at the integration capabilities these solutions are providing so you are able to integrate your threat intelligence platform into it, enriching your security alerts and reducing alert fatigue.
Question Five: Who will govern the cyber threat intelligence program long-term?
The cyber threat intelligence program is an organization-wide program. It needs to be initiated by the security teams that tend to have more awareness of the security challenges but need understanding and support from the entire organization. The long-term success of the threat intelligence program depends on participation at every level in the organization – from senior management to operations.
Cyber threat intelligence is not a one-off project to be implemented. It is a continuous lifecycle — that spans articulating requirements of data collection and analysis, to recommendations — that should be in lockstep with the organization’s core strategies and objectives.
Security leaders should have a team or process in place whose role is to analyze and prioritize cyber threat intelligence based on its relevance and potential impact on these objectives.
Cyber threat intelligence sources
Sources of cyber threat intelligence can be internal or external. It’s important to collect intelligence from a variety of sources to get a more complete picture. However, sources should not implicitly be trusted. It’s important for your team to evaluate each source for reliability and relevance before incorporating it into the analysis.
Here are some examples of internal and external threat intelligence sources:
- Internal sources of cyber threat intelligence — device logs, Internet traffic, SIEM data, forensic evidence
- External sources of cyber threat intelligence — commercial vendors, open-source intelligence, government agencies, social media, forums, thought leaders, threat feeds
Cyber threat intelligence platforms
Cyber threat intelligence platforms can help organizations gather, organize, analyze, and share threat intelligence. IBM, CrowdStrike, Splunk, SolarWinds, Recorded Future, and Mandiant are some of the well-established vendors offering threat intelligence platforms and services today. There are also a number of emerging vendors specializing in threat intelligence, and we expect this list to expand as cyber threat intelligence continues to grow in popularity and importance in enterprise security strategies.
When seeking out a cyber threat intelligence platform, eSecurity Planet offers the following list of requirements:
- Integrations with external threat intelligence feeds
- Integrations with internal systems such as EDR tools, firewalls, network monitoring
- Matching feed data between internal alerts and external IOCs
- Prioritized risk assessments, alerts, and analysis
- Enablement of security tools that can use threat intelligence to block malicious activity and traffic
Get in touch
A cyber threat intelligence program is critical in helping security teams identify and adapt to an organization’s potential cyber threats. When cyber threat intelligence is relevant and aligned to specific objectives and use cases, your team will be able to make data-driven decisions to improve security strategies and defenses and ultimately strengthen the organization’s resilience against cyberattacks.
Kudelski Security’s Cyber Fusion Center has developed sophisticated threat intelligence practices — based on the MITRE ATT&CK framework — to inform threat monitoring, detection, hunting, and response services. For more information, visit: https://kudelskisecurity.com/services/managed-detection-and-response/threat-navigator/