In the evolution of cybersecurity, the threat landscape is ever-changing while the line of defense is ever-shrinking. Security professionals started with securing the perimeters, but now we need to assume a breach in a zero-trust environment. However, providing intelligence to help users stay ahead of threats becomes a challenge when that information is overwhelmingly voluminous and complex.

Because intelligence providers tend to feed every piece of information to their users, many people think of threat intelligence as noise. With all the sophisticated tactics, techniques and procedures (TTPs) appearing daily, providing relevant threat intelligence is the only option to stay ahead of threats without overwhelming existing security operations.

Relevant threat intelligence sounds too good to be true, but it is possible with the proper methodology. Three phases are required to produce relevant threat intelligence: create, disseminate and infuse.

Create Intelligence Beyond IOCs

We need depth and breadth in cybersecurity to identify new threats. However, without organic data sources and a real-time analytic pipeline, we either become followers or fail to deliver relevant insights on time.

The creation of threat intelligence must go beyond indicators of compromise (IoCs) and threat reports to address emerging threats. For example, threat intelligence that doesn’t detect new TTPs will keep security professionals awake at night. Also, threat intelligence that doesn’t inform response playbooks is like a doctor examining patients while refusing to provide a cure. Only connected threat insights make that crucial context possible.

Disseminate Connected Stages of Threat Management

Dissemination is about creating a unified interface for accessing threat intelligence and enabling different threat management use cases. Threat intelligence must deal with heterogeneous performance requirements in threat management.

For example, security information and event management (SIEM) tools need to enrich thousands of observables per second, while security orchestration, automation and response solutions focus more on the context than the speed. In addition, enabling data pivoting and sharing security analytics are critical to connecting the stages in threat management to ensure no team stays in silos.

Infusing Threat Intelligence into Management

Without infusing threat intelligence into threat management, providers are fortune tellers making projections based on statistical data. Unfortunately, infusing threat intelligence is usually the most challenging and confusing part of threat management. For instance, users get insights to detect command and control communications. However, they still need to spend time feeding the insights into their security solutions and tools.

If the security analysts must spend time integrating security solutions like SIEM and endpoint detection and response, they can’t focus on applying threat intelligence. Infusing intelligence will be a challenge as long as we still have data and connectivity issues in threat management. Technology like STIX Shifter solves those normalization and connectivity challenges so that analysts can focus on threat management.

Download the X-Force Threat Intelligence Index

Uncovering Threat Relevancy

With relevant threat intelligence, we can finally calculate threat relevancy. Figure 1 shows why traditional threat intelligence is not suitable for calculating relevancy.

In the diagram, the security context shows there are attack patterns utilizing different vulnerabilities; we can then start observing new IoCs and indicators of behavior (IoBs) on the affected assets. With traditional threat intelligence (the single gray dot), it is difficult to say anything is genuinely relevant.

Figure 1: Single Threat Insight

Consequently, threat intelligence without relevancy adds noise to threat management. For instance, if the gray node is a public Domain Name System (DNS) IP address and it is flagged as actionable because we see the same gray node in the security context, this conclusion will be chaotic in any threat management solution.

However, if the threat intelligence is connected and we preserve the context during dissemination, we can calculate the relevancy based on the patterns and time sequences, as shown in Figure 2. This is a much better way to present relevant threat intelligence with high confidence to users.

Figure 2: Connected Threat Intelligence

If threat intelligence seems too noisy or feels like stale data, now you know the root cause: a lack of creation, dissemination and infusion. Unsuitable threat intelligence, dissemination-limiting use cases, or the wrong platform for infusing threat intelligence properly can paint an incomplete picture of threats.

But what piece — creation, dissemination or infusion — is the weakest link in your organization? In other words, where does threat data become noise instead of actionable information?

If an organization is able to answer these questions, it will be better able to make cybersecurity decisions based on actual insights. Not only does usable threat intelligence protect the company, it helps make the case for future cybersecurity spending. There will be fewer instances of underestimating cyberthreats threatening an organization.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read