With cyber-attacks increasing, the likelihood that many organizations are experiencing the same attack is also increasing. When such an incident occurs, the intelligence gathered – including what happened, how it was dealt with, and lessons that were learned – can teach your organization what to do in the same situation. In today’s dynamic threat environment, it’s impossible to single-handedly keep on top of everything. Implementing a threat intelligence program can help you better protect your organization.
How a Threat Intelligence Program Benefits You
You probably already have layers of cybersecurity controls in place – and they generally work as intended. But the fact is that the current state of any organization’s controls is never going to be 100% effective in the ever-expanding threat landscape. Let’s face it, security professionals are really risk mitigators. In risk mitigation, the environment is where the risk exists, so being as knowledgeable about that environment as you can be, on a live, real-time basis, is your best protection. There is a lot going on in the cyber landscape that we just can’t foresee. Being aware is the first step in being prepared.
In a paper from the SANS Institute Reading Room, threat intelligence is defined as, “The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators.”
A threat intelligence program will help you create a consistent way to apply the threat intelligence data set you collect, so you can quickly understand and effectively respond to evolving threats.
Characteristics of a Threat Intelligence Program
To create a threat intelligence program you must:
- Identify sources that define and explain the evolving threat landscape;
- Document how the sources will be used; and
- Assign roles and responsibilities for collecting, assessing, and distributing the information.
It’s also important that your program is sized to fit the needs of your organization. There is a lot of information out there, and the task can quickly become overwhelming. Make sure your objectives are attainable, so that you can find true value in the function.
Choosing Your Sources of Threat Intelligence
Choosing the right sources for your threat intelligence is one of the most important steps. Managing a huge amount of data is not the point of a threat intelligence program, so you want to be sure that the sources you use provide either actionable intelligence or long-term value and knowledge. Some basic attributes of good sources are:
- Authoritative - There is a lot of specious information on the internet, so be sure that your threat intelligence is coming from an organization or professional with the reputation and / or the resources to provide quality information.
- Actionable - Can you take what you’re learning and put it into action? Threat bulletins, threat feeds, blogs, etc., often contain steps that you can take immediately to correct potential vulnerabilities.
- Applicable - A good source is one that is applicable to your industry and infrastructure. For example, if you’re using a Cisco firewall, then Cisco threats and vulnerabilities will be important to you. Or if you are a financial institution, look for threat intelligence specific to you (i.e. FS-ISAC).
It’s very important that you whittle down your list to only what is useful. Because for most organizations, this is a new function, or one that is currently done in an ad hoc manner, you don’t want to take on more than you need to. Start small and grow into it.
How to Manage Your Sources
Once you’ve selected your sources, it’s important to put a process in place to manage the information. There are two types of intelligence. One type provides information that can add to your long-term knowledge base. The other type provides information that necessitates immediate action. In the latter, the timeliness of your review is critical. You need to formalize and stay on top of the review process, so you can decide in the moment if the information is relevant and useful for your organization.
The next step is to decide whether to act or not to act, and of course, record your decision. Creating a repository will help keep your source material organized. Keeping a log book will track whether the information is something you’ve acted on, or if it’s more long-term knowledge-based content.
Assigning the function of reviewing source material, assessing the relevancy, distributing, and recording actions is a critical part of an effective threat intelligence program. These tasks must be someone’s daily responsibilities. The go-to person for any information and questions. You should also assign a back-up person.
It doesn’t necessarily need to be a full-time job. At Sage, we designed a librarian role. His job is to cull all of the pertinent things that he reads – he spends a certain amount of time a day doing this – and then he sends our professional services team everything he’s found that matters. He also sends relevant articles to specific personnel as needed.
Ultimately, the importance of having an effective threat intelligence program is only going to grow. Start developing the skill-set now. Develop the habit of reviewing, analyzing, and disseminating your sources every day. And grow into this capability over time.