There is widespread acceptance that access to timely cyber threat intelligence is a critical defense strategy in our dynamic cyber threat landscape. As such, there has been an explosion of potential sources delivering a staggering amount of information. But the goal of a threat intelligence program is NOT to be able to manage a ton of data. The goal is to create a program that is both manageable and effective for your organization. That means you need to limit your sources of threat intelligence. So which do you choose?
When selecting your sources, ask yourself two questions:
- Will this information provide me with actionable intelligence that is relevant to my organization’s sector, region, and / or infrastructure?
- Will this information provide me with valuable information to build our long-term knowledge base and strategy?
If you can’t answer yes to either one of these questions, you might want to remove it from your source list.
There are three main categories of threat intelligence sources that you can choose from: critical vendors, government / public sources, and private sources. Here are some of our favorites within each category.
Your infrastructure is built from products and technologies supplied by your critical vendors. If you’re paying for a service or have purchased a product, chances are you’re going to be included in their private intelligence feeds at no additional cost. Because this information is specific to your infrastructure, it can be a great resource. Some of these vendor also provide public-facing threads. Here are a few we like:
Government / Public Sources
- Krebsonsecurity.com - This is a great source for senior executive leadership and other managers just getting introduced to cybersecurity. It’s an investigative journalist blog that is easy to read and covers some of the best stories of the day.
- DarkReading.com - This is a great community forum from Information Week. It’s a source of instant and actionable threat intelligence, as well as information for building your knowledge base.
- SANS Internet Storm Center - There is a great wealth of information here including a library that can help you build your knowledge base. A daily podcast is also available that provides up-to-date alerts and intelligence.
- The Defense Cyber Crime Center
- US Computer Emergency Response Team (US-CERT)
- ThreatBrief.com - Subscribe to recieve a daily brief of actionable intelligence on this site. You can also find knowledge base articles geared towards for different roles.
- Curated Twitter feed: Twitter can be an excellent source for real-time threat intelligence. Build a list of security professionals to follow and check in on it once or twice a day. Not sure who to follow? Reach out to security professionals you know, and see who they follow. Or check out RSA’s list of Top 25 #infosec leaders to follow on Twitter
As the importance of threat intelligence has increased, many vendors and service providers are now offering this type of service. For example, Sage’s nDiscovery threat detection service includes threat intelligence, and there are many others including, AlienVault, FireEye, and Secure Works. We recommend subscribing to any feeds available to you that represent your infrastructure because they are going to be relevant to you.
Information sharing and analysis centers (ISACs) are also a great source for threat intelligence. They are sector-based, member-driven organizations that “collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.” Find them all at www.isaccouncil.org. If you’re just getting started with threat intelligence you may want to consider subscribing to a relevant ISAC feed. It will give you a big head start as opposed to starting from scratch.
Bottom line… you want to find the sources that are the best fit for your organization and focus your energy on those. Many smaller organizations will not have the resources to devote a full time resource to this function, instead it will be an added responsibility to an existing employee or two, who most likely already have a full plate. You don’t want to cause undue burden because (A) the person will quickly grow upset and (B) you won’t benefit from the intended value of the program. This has to be a valuable function. It can’t just be a check box. It needs to be something that provides value to your organization. Start small and build from there.
Strengthen Your Security Team with a Dedicated Expert
Available only from Sage Data Security, nDiscovery provides independent security information analysis of your network logs from highly-trained cybersecurity experts. With over a decade of experience, we continually improve our methodology based on the latest threat intelligence. That means unauthorized access, malware, and suspicious activities are quickly detected and can be easily acted on.