How is cyber threat intelligence produced? How does it work in the day to day of companies? What advantages are organizations that leverage it more likely to obtain, compared to their peers who have not yet gotten there?
In our series of articles on the topic, we seek to help you understand why this concept is fundamental. So now let's try to answer these questions. Check out!
→ Perhaps you want an introduction to the concept of threat intelligence. In this case, read this article first:
The six phases of the Threat Intelligence cycle
Cyber threat intelligence is the end product that comes out of a six-part cycle of collecting, processing, and analyzing data. This process is a cycle as new issues and knowledge gaps are identified during intelligence development, leading to the definition of new collection requirements.
In this sense, an effective intelligence program is iterative, becoming more refined over time.
To maximize the value of the threat intelligence you produce, it's critical to identify your use cases and define objectives before doing anything else. Follow the topics that follow!
1. Planning and direction
The first step to producing actionable threat intelligence is asking the right questions.
The questions that best drive the creation of actionable threat intelligence focus on a single fact, event, or activity — broad, open-ended questions are generally to be avoided.
Prioritize your intelligence objectives based on factors such as how closely they adhere to your organization's core values, how big the impact the resulting decision will have, and how sensitive the decision is.
An important guiding factor at this stage is understanding who will consume and benefit from the final product.
You need to ask and answer:
- Will the intelligence go to a team of technically savvy analysts who need a quick report on a new exploit?
- Or for an executive who is looking for a broad overview of trends to inform their security investment decisions for the next quarter?
The next step is to collect raw data that meets the requirements defined in the first stage. It's best to collect information assets from a wide variety of sources—internal, such as network event logs and past incident response records; and external sources from the open web, dark web, and technical sources.
Threat data is generally considered to be lists of IoCs, such as malicious IP addresses, domains, and file hashes. But it can also include vulnerability information, such as personally identifiable information from customers, raw code from pasted websites, and text from news sources or social networks.
After all the raw data has been collected, you need to classify it, organizing it with metadata tags and filtering out redundant information or false positives and negatives.
Today, even small organizations collect data on the order of millions of log events and hundreds of thousands of indicators every day. It's too much for human analysts to process efficiently — data collection and processing needs to be automated to start making sense.
Solutions like SIEMs are a good starting point because they make structuring data relatively easy with correlation rules that can be configured for a few different use cases, but can only take in a limited number of data types.
If you are collecting unstructured data from many different internal and external sources, you will need a more robust solution.
The next step is to understand the processed data. The purpose of the analysis is to look for potential security issues and notify relevant teams in a format that meets the intelligence requirements outlined in the planning and direction step.
Threat intelligence can take many forms, depending on your initial goals and target audience. But the idea is to put information assets in a format that the public understands, which can range from simple threat lists to peer-reviewed reports.
The finished product is then distributed to its intended consumers. For threat intelligence to be actionable, it needs to reach the right people at the right time.
It also needs to be traceable, so there is continuity between one intelligence cycle and the next. That way, learning will not be lost.
It is recommended that you use ticketing systems that integrate with your other security systems to track each step of the intelligence cycle — each time a new intelligence request comes in, tickets can be submitted, written, reviewed and filled out by several people on different teams.
The final stage is when the intelligence cycle is completed, making it closely related to the initial planning and direction phase.
After receiving the finished intelligence product, the initial requestor reviews it and determines whether their questions have been answered. This drives the objectives and procedures of the next intelligence cycle, making documentation and continuity essential.
How is the topic of threat intelligence being handled in your company? Go deeper into this concept by downloading the eBook that we just released!