Threat Intelligence Fundamentals

Author: David Balaban – PrivacyPC.Com

Information security professionals may have different perspectives about what exactly threat intelligence is, what tasks it should solve, and how a company can benefit from deploying solutions of this sort. This term is often interpreted as a set of techniques for collecting and analyzing indicators of compromise (IOCs) to form an extra layer of protection mechanisms. However, the functionality of the resulting security systems is somewhat opaque. Let’s add some clarity to this subject and figure out who gets the most mileage out of such practices.

What is threat intelligence and who needs it?

Threat intelligence is an entirety of data that allows IT experts to understand a threat and make informed security decisions. This can be both low-level data (e.g. file hashes and IP addresses), and information about a specific attacker seeking to infiltrate a target system. Many professionals prefer using the broader concept of security intelligence that includes threat intelligence, vulnerability intelligence, brand intelligence, and other components of the defense equation.

A few years ago, when this term debuted in the cybersecurity arena, it could mean just about anything. The situation is now more structured and there are standards that make the concept more distinct, and yet it is still debatable whether this technique is part of the overarching security intelligence domain.

In essence, threat intelligence boils down to data as well as the ways it is collected and evaluated. The context of threat information is hugely important. Analysts need to understand if specific data is appropriate for decision-making and link IOCs with specific reports and vulnerabilities.

The layer of technical data plays a big role in threat intelligence, but the right approach should also involve the strategic layer. A security expert must stay on top of operational and tactical layer information and be able to grasp the applicability of certain vulnerabilities and reports.

Threat intelligence can be integrated into different enterprise workflows. In particular, the InfoSec department typically combines it with the general context of the current cybercrime landscape that goes beyond specific attack vectors that pose risk to the organization. On the other hand, investigating an incident requires figuring out who is behind the malicious activity and what techniques were used. Depending on where threat intelligence is leveraged in the company and for what purpose, there are different requirements for its content as well.

Why does an organization need threat intelligence when it has other security and data collection mechanisms in place, such as an intrusion detection system (IDS), a next-generation firewall (NGFW), and a security information and event management (SIEM) solution? It helps piece the whole security picture together and step away from the reliance on individual tools or vendors. This is especially important for businesses whose security postures involve threat response.

With cyber threat intelligence techniques in its toolkit, a company can also gain insights into threats outside of the security perimeter that have not yet been detected by its security solutions. Another noteworthy point is that many defensive solutions have blind spots that attackers might exploit. Threat intelligence closes these gaps. The need for this tactic stems from the rapid evolution of cyber perils – as they become more complex, security tools have to match this sophistication.

At the technical level, threat intelligence is used to facilitate the following activities:

• Incident response
• Proactive threat hunting
• Security monitoring
• Malicious code analysis
• Intrusion detection.

At the strategic level, threat intelligence can help senior management make important decisions. For instance, when planning to enter new markets, company executives need to know what security risks are inherent to these regions. The information gathered through threat intelligence allows estimating the costs that may be incurred and correlating them with the expected profits.

A hands-on approach to threat intelligence

Let’s move on to the practical implementation of threat intelligence techniques – in particular, to explain where the required data comes from and whether a company can obtain it independently without being tied up to a specific service provider. First things first, there are plenty of open sources that can be used to obtain this kind of information. In addition, security professionals can analyze instances of threat detection by the existing security solutions to understand and predict possible future attack paths.

It takes a good deal of effort and expense to process all this data. According to a popular viewpoint, the optimal approach should cover data from three sources: internal information, information from public databases, and commercial feeds purchased from a vendor. The criteria for selecting the sources of threat intelligence data may be as follows:

• Automation options
• Integration and interoperability
• Update frequency
• Enrichment with metadata
• Complexity rating
• Darknet visibility
• Geolocation accuracy
• The number and range of sources
• Quality

A common question comes down to the whys and wherefores of using a specialized threat intelligence platform. Why can’t indicators of compromise and other security information be uploaded to a SIEM system or NGFW? How effective is a specialized solution?

The thing is that such tools aggregate information from multiple sources and process it according to a well-trodden methodology. The task of collecting, analyzing, and ranking data on your own is feasible but very resource-intensive and costly. Importantly, the average SIEM service cannot deal with the multitude of feeds a threat intelligence platform easily handles. Millions of IOCs may slow down or even paralyze it.

Buying as many threat intelligence feeds as possible does not significantly improve the quality of protection. It is important to use the data that correlates with potential threats aligned with the customer profile. Otherwise, the level of “noise” will be too high, which will affect the productivity and efficiency of the system.

When it comes to the feasibility of automating threat intelligence processes, experts’ opinions vary. A system like that can capitalize on analyzing adversaries’ known tactics, techniques, and procedures (TTP), ranking them, and building a threat matrix. However, many professionals argue that the key role of threat intelligence is to provide an analyst with relevant information, enrich it with context, and identify the current cybercrime trends.

How to choose a threat intelligence system worth its salt

To begin with, an organization must understand why it needs such a system. A good idea is to create a list of metrics that clearly show how the implementation of the new tool could strengthen the company’s defenses. It is also recommended to start small by testing the system with a limited number of feeds without hiring a group of analysts from the get-go. A few real-world cases will point the customer in the right direction.

Since the deployment of a threat intelligence system is a lengthy process that requires significant funding, the company’s top executives should consistently provide their support to the security team. Also, customers should maintain a dialog with vendors that have accumulated considerable experience in this area and are usually willing to help. Running a pilot project is not a problem. Most vendors don’t mind providing temporary access to their feeds and platforms.

Being guided by marketing materials alone is a half-baked strategy. It is better to come to the provider and talk to their sales managers and technical specialists. This will allow the client to form an accurate opinion about the developer and specify all the requirements. Communication with the developers will also help understand what is going on beyond the security perimeter, what types of attacks are most likely, and what threat intelligence information will be necessary in the first place.

Conclusion

Vendors and system integrators should work harder to explain the benefits of threat intelligence platforms to potential customers. It is worth pointing out that the full-fledged implementation of such solutions requires a certain degree of maturity and a high level of managerial involvement in enterprise security workflows. Meanwhile, some threat intelligence techniques, such as in-house analysis of feed data and the evaluation of malicious actors’ TTP details, are available even to small companies and can step up their protection against the ever-changing scourge of cybercrime.