Threat intelligence feeds have gained a lot of popularity over the last few years. Born of IP watch lists provided by a handful of organizations, they have emerged to become a significant part of a mature security intelligence program. Now instead of just IP addresses, most feeds include information on file names and hashes, URLs, users and more. All this can come together to deliver more information to analysts about everything crossing their wires.

Why is this incremental threat intelligence information so important? In a word, context — and the difference between noise and context is security analytics. The acceptance of security information and event management (SIEM) platforms over the past dozen years allows analysts to correlate and manage the security data on their networks, include external data elements and view it all in one place. The Trusted Automated Exchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX) are sets of free specifications that have simplified the process of adding threat intelligence to IBM QRadar.

No Dumping

Security teams can better protect their environments by incorporating information on threats observed in the wild. Threat intelligence helps by identifying things that are out of place. This information can be useful, but not if it’s simply dumped in. There is still noise, and threat feeds will sometimes even increase the amount depending on how they’re used.

The credibility and confidence of the sources is also very important. Free feeds might not have the most accurate information, whereas commercial feeds might seem to tag almost everything as a threat at some point or another.

When refining your use of threat intelligence, you must look at it the same way you look at all other information on your network. Don’t just turn everything on and hope for the best. Identify what you are trying to discover and what areas are most important to your organization. If you look at two separate areas of the network, for example, you’ll need different levels of focus depending on the role of that area.

Learn to combat the latest security attacks with global threat intelligence

Muting the Noise

Even on a good day, your exclusive perimeter network, or demilitarized zone (DMZ), and other public areas produce a lot of noise. You can use information from threat intelligence feeds to help identify potentially bad traffic at the perimeter. But just throwing in all the intelligence data may drown your team in incidents. It’s better to focus on the worst or most persistent set of indicators to reduce the number of incidents to a manageable level.

If, however, you’re dealing with a more secure network area, such as a database server farm, where only very specific traffic should be present, you can be more liberal with the threat indicators in both volume and quality. These servers typically hold business-critical data, so don’t take any chances. Opening up the threat intelligence data allows you to cast a wider net that would drown you in a more public-facing network segment.

Threat Intelligence Adds Context

Other good use cases involve applying threat intelligence to incident forensics. When probable cause directs you to investigate hosts or users, threat intelligence can help determine who or what they might have been exposed to in the past.

The added context that threat intelligence feeds provide is very important to protecting your networks. By using the confidence levels of that information and carefully implementing different uses around your network, you can better protect yourself without overloading your security analysts with too much noise.

Sign up for a free trial of the IBM X-Force Exchange

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read