In the evolution of cybersecurity, the threat landscape is ever-changing while the line of defense is ever-shrinking. Security professionals started with securing the perimeters, but now we need to assume a breach in a zero-trust environment. However, providing intelligence to help users stay ahead of threats becomes a challenge when that information is overwhelmingly voluminous and complex.
Because intelligence providers tend to feed every piece of information to their users, many people think of threat intelligence as noise. With all the sophisticated tactics, techniques and procedures (TTPs) appearing daily, providing relevant threat intelligence is the only option to stay ahead of threats without overwhelming existing security operations.
Relevant threat intelligence sounds too good to be true, but it is possible with the proper methodology. Three phases are required to produce relevant threat intelligence: create, disseminate and infuse.
Create Intelligence Beyond IOCs
We need depth and breadth in cybersecurity to identify new threats. However, without organic data sources and a real-time analytic pipeline, we either become followers or fail to deliver relevant insights on time.
The creation of threat intelligence must go beyond indicators of compromise (IoCs) and threat reports to address emerging threats. For example, threat intelligence that doesn’t detect new TTPs will keep security professionals awake at night. Also, threat intelligence that doesn’t inform response playbooks is like a doctor examining patients while refusing to provide a cure. Only connected threat insights make that crucial context possible.
Disseminate Connected Stages of Threat Management
Dissemination is about creating a unified interface for accessing threat intelligence and enabling different threat management use cases. Threat intelligence must deal with heterogeneous performance requirements in threat management.
For example, security information and event management (SIEM) tools need to enrich thousands of observables per second, while security orchestration, automation and response solutions focus more on the context than the speed. In addition, enabling data pivoting and sharing security analytics are critical to connecting the stages in threat management to ensure no team stays in silos.
Infusing Threat Intelligence into Management
Without infusing threat intelligence into threat management, providers are fortune tellers making projections based on statistical data. Unfortunately, infusing threat intelligence is usually the most challenging and confusing part of threat management. For instance, users get insights to detect command and control communications. However, they still need to spend time feeding the insights into their security solutions and tools.
If the security analysts must spend time integrating security solutions like SIEM and endpoint detection and response, they can’t focus on applying threat intelligence. Infusing intelligence will be a challenge as long as we still have data and connectivity issues in threat management. Technology like STIX Shifter solves those normalization and connectivity challenges so that analysts can focus on threat management.
Download the X-Force Threat Intelligence Index
Uncovering Threat Relevancy
With relevant threat intelligence, we can finally calculate threat relevancy. Figure 1 shows why traditional threat intelligence is not suitable for calculating relevancy.
In the diagram, the security context shows there are attack patterns utilizing different vulnerabilities; we can then start observing new IoCs and indicators of behavior (IoBs) on the affected assets. With traditional threat intelligence (the single gray dot), it is difficult to say anything is genuinely relevant.
Figure 1: Single Threat Insight
Consequently, threat intelligence without relevancy adds noise to threat management. For instance, if the gray node is a public Domain Name System (DNS) IP address and it is flagged as actionable because we see the same gray node in the security context, this conclusion will be chaotic in any threat management solution.
However, if the threat intelligence is connected and we preserve the context during dissemination, we can calculate the relevancy based on the patterns and time sequences, as shown in Figure 2. This is a much better way to present relevant threat intelligence with high confidence to users.
Figure 2: Connected Threat Intelligence
If threat intelligence seems too noisy or feels like stale data, now you know the root cause: a lack of creation, dissemination and infusion. Unsuitable threat intelligence, dissemination-limiting use cases, or the wrong platform for infusing threat intelligence properly can paint an incomplete picture of threats.
But what piece — creation, dissemination or infusion — is the weakest link in your organization? In other words, where does threat data become noise instead of actionable information?
If an organization is able to answer these questions, it will be better able to make cybersecurity decisions based on actual insights. Not only does usable threat intelligence protect the company, it helps make the case for future cybersecurity spending. There will be fewer instances of underestimating cyberthreats threatening an organization.
Chenta Lee is a contributor for SecurityIntelligence.