9 Ways for an Enterprise to Improve Its Threat Intelligence Strategy

Keeping an eye on the big picture, reducing operational threats and maintaining profitability should be fundamental to a company’s threat intelligence strategies.

There are three primary means of gathering cyber-threat intelligence: 1) signals intelligence (SIGINT) results from intercepting and analyzing signals, usually those used for communications; 2) open-source intelligence (OSINT) comes from publicly available information; for our purposes, it’s intelligence sourced from the Internet, whether through search engines or focused crawling software; 3) human intelligence (HUMINT) includes human sources within threat-actor communities. Establish priorities befitting your organization.

The thing about threat intelligence is that you never seem to have enough. Most companies start out small, and the more they look, the more they find. After a while the job gets too big, and something has to be done. Then comes that age-old question: Build or buy? Get advice from specialists that fit your use case before going it alone.

It’s tempting to focus exclusively on the latest threats and pore over the last week’s incoming signals data trying to identify nefarious micro trends. But if you get lost in the minutiae, you risk falling prey to other, more enduring threats. Basically, your threat intelligence must cover both macro and micro time periods in order to minimize the risk of suffering a serious breach.

One of the most common issues with threat intelligence is not the collection or processing of intelligence. It’s the communication of intelligence between different areas of the organization. Red teams, security operations centers (SOCs), incident response (IR), vulnerability management— these are all areas that can benefit dramatically from high-quality threat intelligence. If the only thing you do after reading this is to investigate the way intelligence is disseminated within your organization, it will have been worth your time.

When it comes to threat intelligence, there is a wide (and widely publicized) knowledge gap, and it’s roughly the size and shape of the average C-suite. This will need to change. However, keep in mind that the knowledge gap isn’t necessarily the fault of C-suite members; it’s the fault of cyber-specialists who lack the ability to translate these very real cyber-threats into language that leaders can understand and act upon. So make it a point to engage with them as often as possible—in person and through channels. Ask them what they need and how they need it. They need useful information in a format they can digest and understand easily.

A useful TI program automates the processing of external attack data (also known as indicators of compromise, or IOC) from all available sources. Automating incident identification is Phase One. Phase Two is automating new defensive controls (generally rules) to prevent future incidents. This core TI function is operational because it revolves around computational resources. Building on operational capabilities, a world-class TI program consists of strategic analysis centered around talented human resources. Analysts identify current and future information security threats to the business’ strategic assets.

Trend identification may include macro projects, such as determining next year’s top cyber-threats to the enterprise. Macro trends are generally viewed through quarterly or annual lenses; micro trends include identifying the release of new tools likely to be leveraged by adversaries. Micro trends tend to be daily or weekly in nature.

Monitoring for rogue insider activity and/or undetected external attacks is another strategic function that TI should regularly be performing. Knowledge of the network topology and available telemetry sources is a prerequisite, but great hunters are creative and able to produce new hunting methodologies based on pattern and anomaly recognition in single and combined data sets.

When it comes down to it, threat intelligence is as complicated as you want it to be. There’s always something else to test, more logs to check and new research to pore over. But while you’re doing that, you should keep asking yourself the same question: Will this help the organization stay profitable? And any time the answer is no, put it down and move on. After all, there’s plenty more where that came from.