Moving Toward an Outcome-Based Threat Intelligence Program
Moving toward an outcome-based Threat Intelligence (TI) program is an important point of moving forward with industry best practices. One of the themes that we have seen with security leaders is the problem with being able to bring actionable, relevant information to their security programs. There are hundreds of TI vendors in the marketplace and almost every single one has their own opinion of what Threat Intelligence means. In fact, one of the single most common complaint among my peers has been related to improperly scoped/understood TI programs.
Often, indicators are used synonymously with intelligence, but it is important to note that indicators should never be the end state of a TI program. In fact, while useful, indicators provide a good starting point, but generally indicators without context are useless to better understand what is happening with a specific threat.
In its simplest form, threat intelligence encompasses the following components, as described by our Threat Intelligence Framework:
Understanding that the end goal of a Cyber Threat Intelligence program is to understand what is occurring and then act based on the observations. Without good, relevant reporting, most organizations are unable to action information that is gathered by analysts. Importance should be paid in making sure that reporting is relevant to the audience and has a clear action item with the report.
During incidents TI programs can be a force multiplier by being able to pull in and process appropriate information that can be used for defensive countermeasures . Being able to query multiple data sources, interact with the security community at large, or quickly identify infrastructure that was used in attacks can be the difference between a small incident and a large breach.
Often times, companies start here, but this is moving an organization towards advanced monitoring of attackers. Many organizations that start here find that they aren’t understanding what is being done by their TI program. If there are specific threats and actors are known to be targeting your organization, understanding when they are attacking, what attacks they have done before or against others is an important point to understand what might occur in the future.
Black Hat 2017
I will be attending Black Hat 2017 all week long where Kudelski Security will be hosting a number of events. If you are interested in discussing how enterprise threat intelligence can be better used to keep your systems and data safe with you, schedule a one-on-one meeting with me at our suite at Four Seasons hotel in Las Vegas. You can schedule your meeting by clicking here.