In the evolution of cybersecurity, the threat landscape is ever-changing while the line of defense is ever-shrinking. Security professionals started with securing the perimeters, but now we need to assume a breach in a zero-trust environment. However, providing intelligence to help users stay ahead of threats becomes a challenge when that information is overwhelmingly voluminous and complex.

Because intelligence providers tend to feed every piece of information to their users, many people think of threat intelligence as noise. With all the sophisticated tactics, techniques and procedures (TTPs) appearing daily, providing relevant threat intelligence is the only option to stay ahead of threats without overwhelming existing security operations.

Relevant threat intelligence sounds too good to be true, but it is possible with the proper methodology. Three phases are required to produce relevant threat intelligence: create, disseminate and infuse.

Create intelligence beyond IOCs

We need depth and breadth in cybersecurity to identify new threats. However, without organic data sources and a real-time analytic pipeline, we either become followers or fail to deliver relevant insights on time.

The creation of threat intelligence must go beyond indicators of compromise (IoCs) and threat reports to address emerging threats. For example, threat intelligence that doesn’t detect new TTPs will keep security professionals awake at night. Also, threat intelligence that doesn’t inform response playbooks is like a doctor examining patients while refusing to provide a cure. Only connected threat insights make that crucial context possible.

Disseminate connected stages of threat management

Dissemination is about creating a unified interface for accessing threat intelligence and enabling different threat management use cases. Threat intelligence must deal with heterogeneous performance requirements in threat management.

For example, security information and event management (SIEM) tools need to enrich thousands of observables per second, while security orchestration, automation and response solutions focus more on the context than the speed. In addition, enabling data pivoting and sharing security analytics are critical to connecting the stages in threat management to ensure no team stays in silos.

Infusing threat intelligence into management

Without infusing threat intelligence into threat management, providers are fortune tellers making projections based on statistical data. Unfortunately, infusing threat intelligence is usually the most challenging and confusing part of threat management. For instance, users get insights to detect command and control communications. However, they still need to spend time feeding the insights into their security solutions and tools.

If the security analysts must spend time integrating security solutions like SIEM and endpoint detection and response, they can’t focus on applying threat intelligence. Infusing intelligence will be a challenge as long as we still have data and connectivity issues in threat management. Technology like STIX Shifter solves those normalization and connectivity challenges so that analysts can focus on threat management.

Download the X-Force Threat Intelligence Index

Uncovering threat relevancy

With relevant threat intelligence, we can finally calculate threat relevancy. Figure 1 shows why traditional threat intelligence is not suitable for calculating relevancy.

In the diagram, the security context shows there are attack patterns utilizing different vulnerabilities; we can then start observing new IoCs and indicators of behavior (IoBs) on the affected assets. With traditional threat intelligence (the single gray dot), it is difficult to say anything is genuinely relevant.

Figure 1: Single Threat Insight

Consequently, threat intelligence without relevancy adds noise to threat management. For instance, if the gray node is a public Domain Name System (DNS) IP address and it is flagged as actionable because we see the same gray node in the security context, this conclusion will be chaotic in any threat management solution.

However, if the threat intelligence is connected and we preserve the context during dissemination, we can calculate the relevancy based on the patterns and time sequences, as shown in Figure 2. This is a much better way to present relevant threat intelligence with high confidence to users.

Figure 2: Connected Threat Intelligence

If threat intelligence seems too noisy or feels like stale data, now you know the root cause: a lack of creation, dissemination and infusion. Unsuitable threat intelligence, dissemination-limiting use cases, or the wrong platform for infusing threat intelligence properly can paint an incomplete picture of threats.

But what piece — creation, dissemination or infusion — is the weakest link in your organization? In other words, where does threat data become noise instead of actionable information?

If an organization is able to answer these questions, it will be better able to make cybersecurity decisions based on actual insights. Not only does usable threat intelligence protect the company, it helps make the case for future cybersecurity spending. There will be fewer instances of underestimating cyberthreats threatening an organization.

More from Threat Intelligence

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today