Quality Over Quantity: What Data Do You Need?
In our first post on threat intelligence, we discussed why threat intelligence requires refinement, enrichment, and prioritization for specific business use cases.
This post will discuss what kinds of information are relevant and useful to an organization and whether or not that data and information are actually threat intelligence.
UNDERSTAND BUSINESS RISK
Before diving into threat intelligence, organizations should conduct a risk assessment to understand their business risk. Properly conducted, risk assessments can provide a thorough picture of an organization’s mission, functions, IT, organizational assets, and reputation. Risk assessments help identify direct and indirect threats to an organization, the vulnerabilities within an organization, and the risks they pose. With this picture, one can define the kinds of threat intelligence and information that can reduce those risks and provide additional situational awareness for added protection.
COLLECT AND AGGREGATE DATA
When aggregating threat intelligence, we recommend casting the net broadly based on the results of risk assessments. Aggregating multiple data sources will ensure the breadth of collection adequately covers an organization and provides context about any threats that are likely to impact it. Among the sources of threat information to consider: Network, Infrastructure, and Connectivity Data.
Application Data is another useful source of threat information. This includes data from operating systems, web browsers, email servers as well as security monitoring tools like antivirus and host intrusion prevention products. The data collected might include file attributes, system events like sudden shutdowns or failures, commands entered, registry settings, and configuration files.
DEFINE KNOWN VULNERABILITIES
Information about known vulnerabilities in software or hardware is critical to developing actionable threat intelligence. While the media may harp on the use of a “zero day” (or previously unknown and undiscovered flaws), most successful cyber attacks leverage security holes or vulnerabilities that are well-known and described.
MONITOR FOR ACTIVE THREATS
Active threats are described by threat indicators of an active or pending attack and include elements such as Internet Protocol (IP) addresses for hostile nodes or command and control servers, malicious or suspicious Domain Name System (DNS) domain names, file hashes, or URLs for known, malicious executables. They are also described by tactics, techniques, and procedures (TTPs) that are associated with a specific threat. Attackers have the tendency to use or reuse a certain type of malicious software, attack tool, or software exploit to gain presence and persistence on a victim’s network, so knowing the TTPs can helpful when overlaid against vulnerabilities.
INGEST ANALYST INSIGHTS AND REPORTS
Reports from analysts working inside a firm or on behalf of third-party contractors are another valuable source of threat information. These individuals, often working as part of incident response teams, can deliver updates about a wide range of topics including the shape of specific malicious campaigns, TTPs used in those campaigns, exploit code and tools encountered, motives and likely targets, as well as ways to mitigate or recover from attacks. Ingesting these reports to define threat actor profiles and their go-to TTPs can be extremely helpful in understanding the impact to your organization.
WHAT DOES HIGH-QUALITY THREAT INTELLIGENCE LOOK LIKE?
High-quality threat intelligence provides background on potential attacks and allows you to gain background information on threats and threat actors which then allows you to identify possible gaps. When TTPs are published as a part of a news story or when a specific industry is affected, threat intelligence presented in a cohesive tool like LookingGlass scoutPRIME® will give you a sense of where to start looking. From there, threat intelligence works to gather more information and data to have the tools to cover those gaps.
LookingGlass integrates high-quality threat intelligence into every aspect of our comprehensive portfolio of products, so organizations can confidently anticipate, understand, detect, and prevent cyber threats. To learn even more about how to select and use, quality and actionable threat intelligence, download our free eBook, Quality Over Quantity A Guide To Threat Intelligence Selection And Use.
NOT DONE GATHERING INTEL? CONTACT US!
At LookingGlass, we help our clients aggregate, correlate, and contextualize threat intelligence using dozens of feeds. Contact us if you’d like to learn more.