Keeping ahead of the curve: understanding threat intelligence

null
Image Credit: Pixabay

In cyber security, the more information you have about potential threats against your organisation, the better equipped you are to defend against them. Threat intelligence does exactly that and it’s fast become an essential part of any effective security programme.

The SANS institute describes threat intelligence as ‘knowledge about security threats, threat actors, exploits, malware, vulnerabilities, and compromise indicators’. It consists of several layers – including sources, feeds, and platforms – which help organisations compile, analyse and act upon threat data. 

Sources: The raw data

Sources are the raw data for threat intelligence, which can be sorted, analysed and compiled into intelligence feeds (the second layer). For most organisations, the best approach is to use a combination of in-house sources combined with commercial or public feeds. Typical in-house feeds include threat analytics from a security operations centre (SOC), professional communities, security news/blogs and dark web research. 

On the other hand, commercial and public feeds primarily draw from customer telemetry, the dark web, open source repositories, malware processing and manual security research and event analysis.

Image Credit: Pixabay

Image Credit: Pixabay

(Image: © Image Credit: Geralt / Pixabay)

Feeds: Putting the pieces together

A threat intelligence feed comprises data from one or more sources, packaged up into a coherent collection. The majority of feeds tend to focus on one main area, such as botnet activity, domains or malicious IP addresses.  

The real-time nature of threat intelligence feeds means as soon as a new threat or malicious entity is discovered, the information is packaged into the feed format and streamed to subscribers. Time is of the essence, as a user’s primary aim is to defend against imminent attacks before they happen.  

Security professionals can use these feeds in a variety of ways. Some security tools, such as firewalls, accept feeds directly, meaning any new discovery can be immediately accounted for. Alternatively, feed data can be saved to a Security Information Event Management (SIEM) or User Event Behavioural Analytics (UEBA) solution, which can correlate threat data with internal security events and generate alerts when any relevant threats are found. Analysts can also manually review information and while this can be useful, it’s often extremely time consuming.  

Platforms and providers: Making sense of it all

Threat intelligence platforms provide the means to compile, organise, store, analyse and compare multiple feeds simultaneously. They can then correlate these feeds against internal security events and create prioritised alerts for analysts to review. While it has many other uses, a SIEM also functions in this way. A few examples of popular threat intelligence platforms are ThreatQuotient, Anomali ThreatStream and Palo Alto Networks AutoFocus, each of which has a slightly different focus, depending on what is required by the organisation in question.

Image Credit: Pixabay

Image Credit: Pixabay

(Image: © Image Credit: TheDigitalArtist / Pixabay)

Threat intelligence isn’t without challenges

While threat intelligence has become increasingly important in the defence against cyber-attacks, it isn’t without its challenges. Primary examples include:

  • Data overload – Many security analysts are already drowning in data before threat intelligence is added to the mix. Without effective planning and prioritisation, the huge amount of additional data can very quickly lead to analysts becoming overwhelmed. 
  • Context – While threat intelligence often provides important security information, without the relevant context it can be meaningless. 
  • Specialist processes and skills – Feeds are not useful by themselves, they require careful analysis by trained professionals to identify actionable insights. The current global shortage of security professionals is well known, meaning many organisations struggle to recruit the people they need to make the most of threat intelligence. 

Optimising threat intelligence data 

Going a stage further, modern SIEM platforms now feature numerous technologies that can help organisations make the most of threat intelligence data and mitigate the inherent challenges. Modern SIEMs are designed from the ground up to work with threat intelligence. Primarily, automation and analytics capabilities mean they can provide the most useful data, exactly when it’s needed: 

  • Automation – Automated incident response, for example, gives analysts the ability to gather data from hundreds of tools, automatically identifying incidents, referencing them with threat intelligence data, and orchestrating containment and mitigation steps, significantly reducing data overload. 
  • Analytics – Using analytics to identify anomalous behaviour – correlating this with threat analytics data to identify the type and source of an attack – is a huge benefit for security professionals. In the past, when carried out manually, this has taken up the majority of skilled security professionals’ time – a resource many organisations cannot afford to waste.

When utilised correctly, threat intelligence provides a wealth of invaluable information about almost every aspect of an organisation’s cyber security operations. Like any technology, it isn’t without its challenges, but many of these can now be mitigated through the use of modern SIEM platforms, leaving organisations with all of the benefits on offer and none of the drawbacks.