Threat Intelligence Best Practices

As we established in the previous post, when it comes to threat intelligence, most enterprises are neither where they want or need to be. They’re not getting value out of their efforts and they often are not focused on what they need to attain actionable threat intelligence.

It’s not as if they aren’t trying. They are. Many enterprises are culling threat and vulnerability information from their intrusion detection and prevention systems, network and application logs, Information Sharing and Analysis Center (ISACS), open source intelligence sources and vendor information services, SIEMs, and subscription to RSS feeds and IP address reputation services.

However, there are numerous and critical shortcomings that many enterprises face when it comes to obtaining the value they need from these efforts.

First, they often have no way to analyze the threat data to glean the insights they need. For example, many organizations have too many disparate silos of data – from functional business data to network event data to application data – and various stores of security event information. All of these data need to be coalesced into a security data warehouse. Other challenges include poor data governance that created the data silos to begin with, many incongruent data storage standards in use, and processes that inadvertently destroy useful security information while forever storing unnecessary data. 

Another common pitfall is that organizations have no established way to take action with the intelligence that they have obtained. A danger with threat intelligence is that enterprises gather intelligence but don’t know how to use it properly. Some security teams will base moves on bad intelligence; others risk shifting their focus from one threat to another every day, based on news stories, and they won’t ever build a comprehensive program.

What’s the danger of bad security threat intelligence? It could result in bad response to a real threats, a false sense of security from intelligence indicating that no threat exists when one does, and otherwise being lulled into poor or ill-informed deployment of security resources.

However, when using threat intelligence correctly, enterprises can use the data they gather to properly tune their security controls and defenses and better align their security spending and efforts to the types of data or business services different types of criminals may target. For instance, an outsourcing firm could learn that attackers are targeting an application used in that industry to manage talent. They could permanently or temporarily decide to pay closer attention monitoring that application for anomalies, require stronger authentication, and possibly take other steps such as making sure user accounts are up-to-date with proper authentication and permission levels set.

How do some enterprises manage to get threat intelligence right?

They realize that security, vulnerability, and threat data are everywhere. In fact, as we wrote previously, security professionals are awash in data from intrusion detection and prevention systems, firewalls, network logs, and so on. SIEMs try to make sense of a lot of this information and help turn this into intelligence about attacks that are underway within their systems – but they often fall short. A formidable task indeed. But what about when that is extended to external threats that have yet to even try to strike?

The organizations today that are successful with threat intelligence are able to collect data about threats on a global scale and vet them against their internal systems and security controls. Those organizations – the successful ones – are taking all of that information and funneling it into their intelligence program, converting data to security intelligence and then taking protective action with the information. They also are able to review their successes and their intelligence requirements because, just like business changes from month to month and goals and products changes over years, the intelligence requirements have to change as well.

Putting threat intel to work

How do organizations make all of the data collection, storage, and analysis worth their while? By taking all of the derived intelligence and then being able to take constructive action to mitigate attacks and lower risks.

While many organizations have built their threat intelligence data feeds, and put in place the tools needed to manipulate and visualize the threat intelligence data they manage to collect, very few have yet to put that information to work in a way that provides actionable intelligence that actually does reduce risk.

In fact, according to the SANS Who’s Using Cyberthreat Intelligence and How? Survey, only 10.1% of organizations are able to pull out completely actionable events that can be brought to security teams for response. The remaining 89.9% either plan to achieve or have partially achieved this critical ability. Without this ability, the threat intelligence effort has little value.

How does that work in practice? Consider this scenario: Reliable threat intelligence based on discussions monitored within an underground chat room indicates that a hacker group is targeting your organization and that your website will soon be targeted with an SQL injection attack. The attack comes as retaliation for comments executives made at a recent global business summit.

How does your organization act on that intelligence? Is it as simple as updating the web application firewalls? Maybe. Who in your organization needs to know about this risk? Does the CSO know? Does the legal department need to know? Does the chief financial officer need to know that the firm may have to purchase additional mitigation controls because the losses could be X and we can't effectively combat that?

Enterprises need to put into place the ability to act on the intelligence they gather by building the appropriate decision trees and establishing lines of communication and effective response. They must be able to rapidly detect, investigate, and respond to the attacks in ways that mitigate the damage of the attack.

These capabilities must be built on effective basic and advanced security controls that are appropriate for the organization. An organization’s detection, investigation, and response capabilities can be mapped directly to the phases of formal incident response and the ability to respond quickly; this directly improves any organization’s ability to reduce loss.

Consider a DDoS attack scenario and how threat intelligence can save costs. In this instance, this financial services provider learned that organizations in its industry, and its business specifically, would be targeted by ongoing DDoS attacks. With that knowledge, the financial services provider contacted its ISP, who was now on alert for suspicious traffic, and the firm also was able to tune its web application firewall to filter potential attacks.

When the waves of attack packets hit, the web application filters protected the traffic targeting layer 7, while the ISP was able to identify and filter the attack traffic in a matter of minutes, rather than hours.

In the third annual The Value of Threat Intelligence: Annual Study of North American and United Kingdom Companies , based on a survey of over 1,000 IT and security practitioners, found  to evaluated threat intelligence usage, benefits and challenges. The survey found that 85% rate threat intelligence highly important to security operations and that Data volumes continue to strain detection capabilities: too much internal traffic, too many threat indicators to track, too many false positives, lack of historical data to perform investigations.