Many organisations are increasingly investing more resources into building their threat intelligence capabilities to improve their security posture, especially as cyber threats continue to swell in numbers.
However, creating a ‘threat model' is no easy feat, requiring security teams focused on day-to-day operations to step back and ask macro-level questions of their threat landscape like: ‘Who is attacking me? Where is this traffic coming from? Is this a targeted or commodity activity?'
These questions allow your security team to strategically assess how they are positioned to protect your organisation, and where further investment is required in people or products to manage this growing threat landscape.
Many organisations steer towards relying upon external threat intelligence feeds, though this has limitations because even if you subscribe to every single threat intelligence feed, gaps still remain, as many attacks are customised to bypass traditional security controls.
The reality is the resources required to operate under this model vastly outweigh the budget that is likely available.
The most overlooked and valuable source of threat intelligence data is the data you collect yourself - known as internal threat intelligence - which is generated through threats the organisation has seen or managed internally.
Data available through your own security processes or tools is the most contextually relevant and actionable threat data your organisation possesses because it demonstrates the current threats you face.
This data may be derived from your security information - event management (SIEM) solution, log management repository, case management systems or your security infrastructure capabilities such as sandboxes, phishing email, Web/DNS systems, the security operations centre, incident response or threat hunting teams.
Independently, internal threat intelligence will not provide complete visibility of the threat landscape, as it will miss the rich details that come from external sources derived from teams of highly trained analysts, who monitor an incredible number of sources.
Through the integration of internal and external threat resources, you will be able develop a complete picture of your threat landscape, with these data types adding the colour and detail to complete this picture.
This may have you questioning if being able to analyse all this data for actionable intelligence is actually possible.
By integrating a threat intelligence platform (TIP), an organisation is able to implement a threat-centric security approach, with the platform serving as a repository for external and internal threat data sources, which also does the hard work for the security team. T
he right platform will collect, structure and store internal threat intelligence data, and provide tools to enrich, augment and correlate this data with external sources.
How can your organisation translate and act on the intelligence it already has? Using a spear phishing example, this type of attack can be automatically ingested as a suspicious email into the threat intelligence platform.
This email includes the information about the individual targeted, initial data about the origins of the email and the types of content it includes.
As the investigation continues, security teams are able to send a suspicious file attachment to a sandbox and collect the results. The intelligence is then filtered back into the platform and assigned a threat score with specific analysis of the high-fidelity indicators such as a hash file, domain name and IP addresses.
The security team is then able to then enrich indicators for further analysis, or leverage the MITRE ATT-CK framework to identify tactics, techniques and procedures (TTPs) that may be common across different attacks.
From here, the TIP will determine if any of these indicators of compromise match your records, by executing a correlation search within the SIEM, to see if the indicators have been seen by any of your security tools.
This automatically indicates that you may have an active exploit in the environment, from here, a control can be implemented by blocking the suspicious URL in your web security gateway, for example.
Analysing suspect emails is an incredibly time-consuming function for security operations, yet is one example where a TIP is able to do the mundane work.
It is just one case where a threat intelligence platform allows you to maximise internal threat intelligence, in context with external data, and more importantly demonstrates how a platform can largely automate the entire process.
The big picture
Back to the macro-level, the right data structure is imperative for actioning threat intelligence, both internal and external. Maintaining all threat data in a standardised model ensures it is easy to deduplicate, correlate and share with the right people or in the right tools.
Organising your threat intelligence is half the work in building a good threat model, the right TIP will do this automatically by making this indexed and searchable, even scoring these indicators.
Most threat intelligence providers publish ‘global risk' and ‘confidence' ratings based on their own research, visibility and proprietary methods.
This allows for a sharper threat response, however security teams need to be able to customise scores based on defined parameters such as the indicator source or type, adversary information, and attributes specific to the organisation including industry, region and infrastructure.
Scoring is crucial to making threat intelligence truly actionable because the right scoring policy will unify internal and external threat intelligence seamlessly, offer the ability to re-evaluate or reprioritise data as new context becomes available and ensure analysts are focused on what is really important for the organisation.
Organisations already have the most crucial threat intelligence data required to help manage their threat landscape and improve their security posture, the challenge lies in accessing this data and merging this intelligence with external feeds, to make it actionable.