9 Ways for an Enterprise to Improve Its Threat Intelligence Strategy

 
 
By Chris Preimesberger  |  Posted 2016-02-22
 
 
 
 
 
 
 
 
 
  • Previous
    1 - 9 Ways for an Enterprise to Improve Its Threat Intelligence Strategy
    Next

    9 Ways for an Enterprise to Improve Its Threat Intelligence Strategy

    Keeping an eye on the big picture, reducing operational threats and maintaining profitability should be fundamental to a company's threat intelligence strategies.
  • Previous
    2 - Go Beyond Passive Intelligence Gathering
    Next

    Go Beyond Passive Intelligence Gathering

    There are three primary means of gathering cyber-threat intelligence: 1) signals intelligence (SIGINT) results from intercepting and analyzing signals, usually those used for communications; 2) open-source intelligence (OSINT) comes from publicly available information; for our purposes, it's intelligence sourced from the Internet, whether through search engines or focused crawling software; 3) human intelligence (HUMINT) includes human sources within threat-actor communities. Establish priorities befitting your organization.
  • Previous
    3 - To Build or Not to Build: Bite the Bullet and Choose
    Next

    To Build or Not to Build: Bite the Bullet and Choose

    The thing about threat intelligence is that you never seem to have enough. Most companies start out small, and the more they look, the more they find. After a while the job gets too big, and something has to be done. Then comes that age-old question: Build or buy? Get advice from specialists that fit your use case before going it alone.
  • Previous
    4 - Get Better Context
    Next

    Get Better Context

    It's tempting to focus exclusively on the latest threats and pore over the last week's incoming signals data trying to identify nefarious micro trends. But if you get lost in the minutiae, you risk falling prey to other, more enduring threats. Basically, your threat intelligence must cover both macro and micro time periods in order to minimize the risk of suffering a serious breach.
  • Previous
    5 - It's Not What You Know, It's What You Do With It
    Next

    It's Not What You Know, It's What You Do With It

    One of the most common issues with threat intelligence is not the collection or processing of intelligence. It's the communication of intelligence between different areas of the organization. Red teams, security operations centers (SOCs), incident response (IR), vulnerability management— these are all areas that can benefit dramatically from high-quality threat intelligence. If the only thing you do after reading this is to investigate the way intelligence is disseminated within your organization, it will have been worth your time.
  • Previous
    6 - Breach the Knowledge Gap
    Next

    Breach the Knowledge Gap

    When it comes to threat intelligence, there is a wide (and widely publicized) knowledge gap, and it's roughly the size and shape of the average C-suite. This will need to change. However, keep in mind that the knowledge gap isn't necessarily the fault of C-suite members; it's the fault of cyber-specialists who lack the ability to translate these very real cyber-threats into language that leaders can understand and act upon. So make it a point to engage with them as often as possible—in person and through channels. Ask them what they need and how they need it. They need useful information in a format they can digest and understand easily.
  • Previous
    7 - Operational vs. Strategic
    Next

    Operational vs. Strategic

    A useful TI program automates the processing of external attack data (also known as indicators of compromise, or IOC) from all available sources. Automating incident identification is Phase One. Phase Two is automating new defensive controls (generally rules) to prevent future incidents. This core TI function is operational because it revolves around computational resources. Building on operational capabilities, a world-class TI program consists of strategic analysis centered around talented human resources. Analysts identify current and future information security threats to the business' strategic assets.
  • Previous
    8 - Trend Identification
    Next

    Trend Identification

    Trend identification may include macro projects, such as determining next year's top cyber-threats to the enterprise. Macro trends are generally viewed through quarterly or annual lenses; micro trends include identifying the release of new tools likely to be leveraged by adversaries. Micro trends tend to be daily or weekly in nature.
  • Previous
    9 - Internal Hunting
    Next

    Internal Hunting

    Monitoring for rogue insider activity and/or undetected external attacks is another strategic function that TI should regularly be performing. Knowledge of the network topology and available telemetry sources is a prerequisite, but great hunters are creative and able to produce new hunting methodologies based on pattern and anomaly recognition in single and combined data sets.
  • Previous
    10 - Just Keep Asking Yourself One Question
    Next

    Just Keep Asking Yourself One Question

    When it comes down to it, threat intelligence is as complicated as you want it to be. There's always something else to test, more logs to check and new research to pore over. But while you're doing that, you should keep asking yourself the same question: Will this help the organization stay profitable? And any time the answer is no, put it down and move on. After all, there's plenty more where that came from.
 

It's every chief information security officer's dream to run a ship so tight that not a single exploit, advanced persistent threat or hacktivist attack could ever hope to make it through. But while it is indeed a dream, it should be reality. The problem is that as someone gets closer to the idea of optimizing a threat intelligence strategy, he or she often loses sight of the big picture. The collection, dissemination and use of threat intelligence have only one real purpose: To reduce operational risk in order to maintain or improve profitability. With the troubling new trend toward data destruction by bad actors, the risk of long-term damage is getting higher. So what is a CISO to do? By concentrating intelligence efforts on highly specific business objectives (e.g., to maintain or improve profitability), this broad subject can be narrowed down to the point where a small amount of highly valuable intelligence is produced. This is a start toward establishing a more effective threat intelligence strategy. This eWEEK slide show examines this concept, as put forth by Pete Hugh of security consulting firm Recorded Future.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel