In the age of user behavior analytics, next-gen attacks, polymorphic malware, and reticulating anomalies, is there a time and place for threat intelligence? Of course there is! But – and it seems there is always a ‘but' with threat intelligence – it needs to be carefully applied and managed so that it truly adds value and not just noise. In short, it needs to actually be intelligence, not just data, in order to be valuable to an information security strategy.
We used to have the problem of not having enough information. Now we have an information overload. It is possible to gather data on just about anything you can think of, and while that can be a great thing (if you have a team of data scientists on standby), most organizations simply find themselves facing an influx of information that is overwhelming at best and contradictory at worst. Threat intelligence can help solve that problem.
What is Threat Intelligence?
As Rick Holland and I mentioned in our talk at UNITED Summit 2016, there are a variety of definitions and explanations for threat intelligence, ranging in size from a paragraph to a field manual. Here's the distilled definition:
“Threat Intelligence helps you make decisions about how to prevent, detect, and respond to attacks."
That's pretty simple, isn't it? But it covers a lot of ground. The traditional role of intelligence is to inform policy makers. It doesn't dictate a particular decision, but informs them with what they need to make critical decisions. The same concept applies to threat intelligence in information security, and it can benefit everyone from a CISO to a vulnerability management engineer to a SOC analyst. All of those individuals have decisions to make about the information security program and threat intelligence arms them with relevant, timely information that will help them make those decisions.
If intelligence is making it harder for you to make decisions, then it is not intelligence.
When Threat Intelligence Fails
Threat Intelligence can be a polarizing topic – you hate it or you love it. Chances are that if you hate it, you've probably been burned by threat feeds containing millions of indicators from who-knows-where, had to spend hours tracking down information from a vendor report with absolutely no relevance to your network, or simply fed up by the clouds of buzzwords that distract from the actual job of network defense. If you love it, you probably haven't been burned, and we want to keep it that way.
Threat Intelligence fails for a variety of reasons, but the number one reason is irrelevance. Threat feeds with millions of indicators of uncertain origin are not likely to be relevant. Sensationalized threat actor reports with little detail but lots of fear, uncertainty, and doubt (FUD) are not likely to be relevant. Stay away from these, or the likelihood that you end up crying under your desk increases.
So how DO you find what is relevant? That starts with understanding your organization and what you are protecting, and then seeking out threat intelligence about attacks and attackers related to those things. This could mean focusing on attackers that target your vertical or the types of data you are protecting. It could mean researching previously successful attacks on the systems or software that you use. By taking the time to understand more about the source and context behind your threat intelligence, you'll save a ton of pain later in the process.
The Time and Place for Threat Intelligence
Two of the most critical factors for threat intel are just that – time and place. If you're adding hundreds of thousands of indicators with no context and no expiration date, that will result in waves of false positives that dilute any legitimate alerts that are generated. With cloud architectures today, vendors have the ability to anonymously collect feedback from customers, including whether alerts generated by the intel are false positives or not. This crowdsourcing can serve as a feedback loop to continuously improve the quality of intelligence.
For example, with this list, 16 organizations are using it, 252 alerts have been generated across the community, and none have been marked as false positives. The description also contains enough context to help defenders know how to respond to any alerts generated. This has served as valuable threat intelligence.
The second half is place – different intelligence should be applied differently in your organization. Strategic intelligence, such as annual trend reports, or warnings on targeted threats to your industry, are meant to help inform decision makers. More technical intelligence, such as network based indicators, can be used as firewall rules to prevent threats from impacting your network. Host based indicators, especially those from your own incidents or from organizations similar to yours, can be used to detect malicious activity on your network. This is why you need to know exactly where your intelligence comes from, as without it, proper application is a serious challenge. Your own incident experience is one of the best sources of relevant intelligence – don't let it go to waste!
To learn about how you can add threat intelligence into InsightIDR, check out the Solution Short below.
Threat intelligence isn't as easy as plugging a threat feed into your SIEM. Integrating threat intelligence into your information security program involves (1) understanding your threat profile, (2) selecting appropriate intelligence sources, and (3) contextually applying it to your environment. However, once completed, threat intelligence will serve a very valuable role in protecting your network. Intelligence helps us understand the threats we face – not only with identifying them as they happen, but to understand the implications of those threats and respond accordingly. Intelligence enables us to become persistent and motivated defenders, learning and adapting each step of the way.