Threat intelligence feeds have gained a lot of popularity over the last few years. Born of IP watch lists provided by a handful of organizations, they have emerged to become a significant part of a mature security intelligence program. Now instead of just IP addresses, most feeds include information on file names and hashes, URLs, users and more. All this can come together to deliver more information to analysts about everything crossing their wires.

Why is this incremental threat intelligence information so important? In a word, context — and the difference between noise and context is security analytics. The acceptance of security information and event management (SIEM) platforms over the past dozen years allows analysts to correlate and manage the security data on their networks, include external data elements and view it all in one place. The Trusted Automated Exchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX) are sets of free specifications that have simplified the process of adding threat intelligence to IBM QRadar.

No Dumping

Security teams can better protect their environments by incorporating information on threats observed in the wild. Threat intelligence helps by identifying things that are out of place. This information can be useful, but not if it’s simply dumped in. There is still noise, and threat feeds will sometimes even increase the amount depending on how they’re used.

The credibility and confidence of the sources is also very important. Free feeds might not have the most accurate information, whereas commercial feeds might seem to tag almost everything as a threat at some point or another.

When refining your use of threat intelligence, you must look at it the same way you look at all other information on your network. Don’t just turn everything on and hope for the best. Identify what you are trying to discover and what areas are most important to your organization. If you look at two separate areas of the network, for example, you’ll need different levels of focus depending on the role of that area.

Learn to combat the latest security attacks with global threat intelligence

Muting the Noise

Even on a good day, your exclusive perimeter network, or demilitarized zone (DMZ), and other public areas produce a lot of noise. You can use information from threat intelligence feeds to help identify potentially bad traffic at the perimeter. But just throwing in all the intelligence data may drown your team in incidents. It’s better to focus on the worst or most persistent set of indicators to reduce the number of incidents to a manageable level.

If, however, you’re dealing with a more secure network area, such as a database server farm, where only very specific traffic should be present, you can be more liberal with the threat indicators in both volume and quality. These servers typically hold business-critical data, so don’t take any chances. Opening up the threat intelligence data allows you to cast a wider net that would drown you in a more public-facing network segment.

Threat Intelligence Adds Context

Other good use cases involve applying threat intelligence to incident forensics. When probable cause directs you to investigate hosts or users, threat intelligence can help determine who or what they might have been exposed to in the past.

The added context that threat intelligence feeds provide is very important to protecting your networks. By using the confidence levels of that information and carefully implementing different uses around your network, you can better protect yourself without overloading your security analysts with too much noise.

Sign up for a free trial of the IBM X-Force Exchange

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…