Cyber Threat Intelligence: How to Turn Quantity into Quality
April 26th, 2018
Cyber threat intelligence has become a key component of any cyber security strategy because it provides a new dimension of visibility, monitoring and intelligence gathered from multiple source across the clear, deep and dark web. Many CISO’s consider cyber threat intelligence to be an essential tool for running a sophisticated, effective and efficient cyber security operation, allowing different functions in cyber security to make better decisions when dealing with cyber threats.
The Problem with Quantity over Quality
While threat intelligence platforms have their benefits, many organizations struggle to use them effectively due to the sheer volume of alerts and information that is generated. Here are some of the symptoms of “intelligence overload”:
- No Prioritization or Context: One-off alerts don’t provide any context or relevancy. Priorities and threat severity are usually based off of multiple factors, so without correlation or context, a security team will not be able to identify real threats from the noise.
- Slower Incident Response: When a team can’t identify which issues are most important, they are slower to resolve critical issues, which can be incredibly costly if attacks aren’t mitigated quickly.
- Lost Confidence in Platform: Too many false positive or irrelevant alerts can cause a team to lose confidence in the platform. They are also more likely to ignore important alerts due to alert fatigue, which has serious implications on organizational readiness for security incidents.
- Analyst Overload (and burnout): Analysts are responsible for investigating threats, and if the alerts aren’t relevant to them, they’ll waste a lot of time investigating threats that aren’t priorities. Not only is this inefficient, but it also leads to analyst burnout and churn.
Generic, one-off alerts don’t provide much value for an organization. For example, the below image is a general alert about a vulnerability which was discovered in a Can Bus component (which are often used by automotive manufacturers).
Figure 1: example of a general vulnerability alert
While this vulnerability could be of concern , simply discovering a vulnerability itself doesn’t mean that it can be exploited in the short or mid term. And even though all auto manufacturers use Can Bus, this vulnerability may only affect a few of them if the vulnerability only applies to specific implementations and configurations of the Can Bus component in each vehicle. Correlating these different variables and providing a single alert if all conditions are met provides much more value than just alerting the team that there is a vulnerability out there.
This is an example of how threat intelligence quantity can be turned into quality.
Cyber threat intelligence platforms are often leveraged by many different cyber security functions within the organization, like SOC analysts, threat hunters, IR teams, IT security engineers, cyber risk managers, anti-fraud teams and forensics teams. In order for all teams to operate efficiently and effectively, they must have quality, tailor-made cyber threat intelligence that is specific and relevant to their company’s digital footprint. This will help the entire organization make better decisions in order to protect their infrastructure, applications, business, employees and customer data.
So, what is considered good quality cyber threat intelligence?
In order for threat intelligence to be considered “quality” , it should meet the following criteria:
- It must be “tailor made” intelligence - Gathering threat intelligence using general attributes and assets will only create generic information, which is the opposite of what you want. Instead, organizations should be using assets that are specific and most important to them. For example, collecting intelligence on their domains, IPs, brands, employees, executives and more.
- Contains relevant context - Context is more than just WHOIS data. It must include relevance to your organization and your sector. For the intelligence to be valuable, you must have the most up-to-date information on threats that are targeting you,your business sector or a specific technology that you use. Without the proper context, it will be impossible to gather real and actionable intelligence that will enable you to mitigate the real threats.
- Tactical and analyzed threat intelligence - Cyber threat intelligence should alert you to threats that are specifically targeting your organization from the outside world. In addition, you should be able to easily determine what type of risk the threat poses, what the potential impact is and how you can mitigate. It takes a lot of time for an analyst to do this work manually, so leveraging algorithms and machine learning will help your team prioritize threats and work efficiently.
- Integration and real-time Automation - Automation is not necessarily critical to effective threat intelligence, but it can be incredibly valuable. Imagine that you have incredibly , accurate, relevant and actionable intelligence, but you can’t feed it in real time directly to your security environment. You’d miss a huge opportunity to increase operational efficiency and reduce the time to mitigate threats.
Here’s an example of a targeted and specific alert about an attack on a financial service provider. The alert contains the specific company name, type of attack and method. This type of alert is highly relevant and allows the company to respond quickly.
Figure 2: example of a quality threat intelligence alert
Cyber threat intelligence should continuously feed your organization with information that is specific, relevant and actionable. This will ensure your team operates efficiently and gets the insight they need to protect your organization from cyber threats. When it comes to cyber security, you don’t have the luxury of being able to fail from time to time. You must succeed every time in mitigating attacks. Focusing on the quality of your threat intelligence instead of the quantity will help you achieve this and keep you organization, your employees and your customers safe.
A great source of information that you should be monitoring is Open Source Threat Intelligence (OSINT). Read our eBook to learn more about this type of information and how it can be used to proactively protect your organization.
eBook: Piercing the Cloak of Secrecy: Using OSINT to Protect Against Cyber Attacks
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.