How to build an effective Threat Intelligence Program

Why do I need Threat Intelligence?

Cyber Threat Intelligence identifies existing or developing threats that could harm your business, thereby reducing the cyber risk. It is both proactive and reactive and helps you analyse an attacker’s modus operandi, prevent and respond to incidents faster and support future detection. Threat Intelligence works in a multifaceted way by supporting strategic decision-making, providing operational guidance to strengthen reaction and response mechanisms in security engineering and producing actionable technical indicators to identify and mitigate cyber-attacks.

I already ingest 2 million IOCs a day – do I have Intelligence?

Simply put: No. Throwing a myriad of unscrutinised indicators of compromise at your defences will only result in false positives.

So where do I start?

First find out how your environment works, how your response team handles incidents, what resources and skills you have available and what internal and external sources you can use. Baselining legitimate user and system behaviour over several months can be a good starting point to reduce false-positives. Leveraging employees as sensors to report suspicious emails, calls and browser behaviour can also provide a wealth of useful information.

Then create a plan of action and identify issues that threat intelligence can solve such as accelerated incident response. Strategic Threat Models can help you here, if they are kept up-to-date to evolve with the ever-changing threat landscape on a both technological and geo-political level. These strategic requirements then guide the collection and analysis of threat information that is relevant to your organisation. Keep an eye on your supply chain too, as their threat level could change and thus affect you. Know yourself and know your enemy and their tools, tactics and procedures.

Now familiarise yourself with intelligence concepts to really kickstart your program: The traditional Intelligence Cycle, Cyber Kill Chain and Courses of Action, OpenIOC, Stix/Taxii, Diamond Model, Analysis of Competing Hypotheses, ATT&CK threat model, Traffic Light Protocol and The Pyramid of Pain.

Finally, address the three core principles of Threat Intelligence – Strategic, Operational and Tactical Intelligence. Great strategic threat assessments are the 2017 Verizon Data Breach report or similar reports from NCSC or ENISA. Operational threat intelligence is about Who is targeting you, How and Why and can be obtained through a simple RSS feed reader. Check out Inoreader or Feedly and subscribe to as many feeds as you can, such as ICS-CERT, US-CERT, Threatpost, ThreatResearch, Bugtraq, Anomali, Fox-IT, SANS ICS, SecurityWeek, PhishMe, Krebs, Schneier etc. Tactical intelligence creates actionable indicators of compromise that focus on the How, which makes them suitable for threat hunting. Digesting these indicators can be the most challenging of the three, as ideally you need real-time logging, correlation and log retention capabilities of at least 90 days (think SIEM), endpoint visibility and experienced analysts making sense of the data. Raw log data can turn into meaningful information which if put into context becomes intelligence. Keep in mind that both operational and tactical information has a shorter shelf life than longer-term strategic assessments of the threat landscape.

Throughout your progress, get buy-in from leadership to put your plan smoothly into action and regularly report back with metrics which demonstrate improved visibility of your network, decreased incident response time and successfully thwarted attacks. As a word of warning, if you find yourself overloaded with threat information that is not acted upon, threat intelligence may not provide much benefit to you right now.

What tools do I need?

To help you get more out of open source, commercial and community feeds, consider aggregating and normalising them in one platform. A Threat Intelligence Platform (TIP) allows you to handle the deluge of available information, curate it and customise it. There is no need for an expensive product and shiny commercial feeds, open source solutions generally do the trick. Recently MISP has gained a lot of momentum. For feeds, start with this link repository. If you have specific requirements, such as increasing your visibility on strategic intelligence, vendor solutions can go the extra mile.

Enriching threat information in your platform with WHOIS data, DNS records, a VirusTotal or sandboxing score before correlating it with your internal environment can provide further context and will make the data more meaningful. Don’t take the sources’ risk scores for granted but adjust them according to your threat model. If an indicator source ends up producing false positives or turns out to be providing out-of-date indicators, don’t cling on to them but remove them from your platform or lower their reputation score.

Much more important than tools are dedicated and skilled staff and processes around the planning, collection, analysis and distribution phase of intelligence. Cyber Threat Intelligence is not done on the side. Give your staff the responsibility, data sources and the training they need to become experts in dealing with and acting on threat information. If you cannot afford a dedicated threat intelligence function, you may be better off investing in incident response for now.

 Adding the Secret Sauce

Many organisations already look at strategic threat assessments, read cyber security related news and have a security team. But the key to success is to combine all three. Plan where your organisation is heading and identify the threats facing you, find relevant sources, extract indicators for hunting and correlation, then have your techies analyse and enrich them and feed everything back up to adjust the strategy. Involve every department and collaborate. A thorough understanding of your own environment may even reduce the need for expensive external intelligence solutions – the best intelligence will come from your own incident analysis. This means no vendor on earth can sell “actionable threat intelligence” to you unless they know your environment as much as you do. Intelligence is not just a product, it is a process.

What’s next? Sharing, Sharing, Sharing.

Knowledge gained from incident analysis is more useful to the community if it is shared. We all depend on our peers to tell us about attacks they suffer from so really need to return the favour. When communicating intelligence, we need to know our audience and adapt to their unique needs. Some organisations may only want indicators of compromise or indicators of attacks, some may be after a thorough analysis with threat actor attributions, others only need a high-level summary and forecast. Look at your peers for sharing, personal contacts, ISACs (Information Sharing and Analysis Center), ISAOs (Information Sharing and Analysis Organisation), cross-sector sharing groups and national CERTS. The most mature threat intelligence programs are not only ingesting and using threat intelligence, but producing intelligence and proactively informing other organisations about current and emerging threats.

(tt)