Quality Over Quantity: How to Benefit From The Highest Quality Threat Intelligence
It is critical to determine which threats are the most relevant to an organization. In our last post in this series, we look at how to identify and prioritize threats to develop and implement mitigations and reduce risk based on the most dangerous threats.
IDENTIFY RELEVANT THREAT DATA
A key problem with threat intelligence today is the sheer size of the data available. It is critical to determine which threats are the most relevant and potentially dangerous to an organization to prioritize action. Threat intelligence that includes specific TTPs can be put to immediate use in blocking attacks, identifying compromises, or informing analysts on patterns to watch that may indicate zero-day attacks. Likewise, information culled directly from groups within an organization, such as an information and sharing analysis center (ISAC), or from business partners or suppliers can be correlated with internal organizational data, such as network or infrastructure information, to provide a more accurate picture of threats and campaigns that matter.
In contrast, low-quality “data dumps” compiled from underground forums or voluminous but undifferentiated information about new and emergent malware, hacking groups, or software exploits may have the opposite effect: overwhelming an organization that hasn’t developed the expertise, processes, and systems to digest the information.
Threat intelligence providers can aid in this challenge by categorizing and ranking the information they deliver, specifying relevance to specific targets and sectors.
PRIORITIZE THREAT INTELLIGENCE
When assessing what information matters, “actionable” data is the most relevant: data about threat information that enables an organization to take specific steps to mitigate a threat, block a future attack, or otherwise address a known risk.
For example, threat intelligence culled from prior similar attacks might have provided TTPs and indicators that could help map an adversary’s infrastructure. Organizations may have found those TTPs actionable, paving the way for firewall rules to block and alert on such traffic. Examples of prior phishing campaigns might have alerted administrators to similar campaigns targeting their employees and, thus, to the presence of malicious actors on the organization’s internal network.
CLOSE THE LOOP AND MEASURE EFFECTIVENESS
Organizations should continually monitor the performance and effectiveness of threat intelligence investments and assess their value. At a high level, organizations should tailor results from a threat intelligence program to support risk-based decisions.
Existing documents, such as “NIST Special Publication (SP) 800-137 on Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” provides a solid framework for maintaining ongoing aware-ness of information security, vulnerabilities, and threats in modern, dynamic IT environments.
An organization wanting to utilize threat intelligence or to develop a fully integrated threat intelligence program should consider developing a comprehensive ISCM strategy that encompasses the use of threat intelligence along with more traditional information security technology, processes, procedures, and people. Properly done, ISCM programs can help executives, senior IT, and risk staff set priorities and manage risk consistently. Such programs can also measure effectiveness, including metrics that establish a meaningful measure of security status, the effectiveness of discrete security controls, compliance, and an awareness of new threats and material changes. NIST also recently released an update to NIST SP 800-137 with an eye towards assessing such programs; that document can be found here.
MONITOR FOR ACTIVE THREATS
Active threats are described by threat indicators of an active or pending attack and include elements such as Internet Protocol (IP) addresses for hostile nodes or command and control servers, malicious or suspicious Domain Name System (DNS) domain names, file hashes, or URLs for known, malicious executables. They are also described by tactics, techniques, and procedures (TTPs) that are associated with a specific threat. Attackers have the tendency to use or reuse a certain type of malicious software, attack tool, or software exploit to gain presence and persistence on a victim’s network, so knowing the TTPs can helpful when overlaid against vulnerabilities.
HOW LOOKINGGLASS THREAT INTELLIGENCE CAN HELP
LookingGlass integrates high-quality threat intelligence into every aspect of our comprehensive portfolio of products, so organizations can confidently anticipate, understand, detect, and prevent cyber threats. To learn more about how to select and use, quality and actionable threat intelligence, download our free eBook, Quality Over Quantity A Guide To Threat Intelligence Selection And Use.
High-quality threat intelligence provides background on potential attacks and allows you to gain background information on threats and threat actors which then allows you to identify possible gaps. When TTPs are published as a part of a news story breaking or when a specific industry is affected, high quality threat intelligence like scoutPRIME® will already have a sense of where to start looking. From there, high-quality threat intelligence works to gather more information and data to have the tools to cover those gaps.
Learn more about how LookingGlass can help your organization by contacting us today.