Blog

Putting Threat Intelligence into Action

One of the most compelling components of modern security operation is threat intelligence. The practice of compiling relevant, actionable data and actionizing this information into the organization’s cyber-defense protections has protected enterprises across the spectrum. Making threat intelligence a reality however is an entirely different matter. A properly deployed program can be difficult to implement and once implemented, if not focused on valuable information, the program could become ineffective.

Attacks come in waves and they can follow a wide range of varieties. Attackers leverage cutting-edge and everyday techniques to infiltrate and extract target information. That’s not really news, but what is interesting is that attackers often have to stack and scale attacks for sake of efficiency, timeliness, and effect.

• Step 1: Conduct reconnaissance
• Step 2: Find vulnerabilities
• Step 3: Exploit
• Step 4: Remove data
• Step 5: Clean tracks or re-infection (optional)

Cyberthreat, interrupted

Most cyber security tools are reactive, as they respond to detected actions and threats before acting accordingly. But what if the chain of events could be stopped anywhere before the fourth (most damaging) step? That’s where threat intelligence comes in.

By using a tool such as Threat Intelligence Platform, a security team can give a score to suspicious sources. Threat intelligence may be applied throughout an organizational environment, but it is most powerful at points of egress, including messaging and application gateways.

Threat data vs threat intelligence

Organizations that utilize simple, traditional security tools alone regularly fail to secure their networks against malicious cyber activity. Note that threat data is slightly yet tactically different from threat intelligence. Threat data is a tremendous informational resource that helps many organizations better protect their environments. Subscription models provide the latest shared security information about known threats, giving subscribers data on what to block and what to look out for. You will find things like:

• Malicious websites;
• Malicious domains;
• IP addresses/blocks that should be blocked;
• Threat behavior information, etc.

On the other hand, threat intelligence adds a contextual element to the security picture. In threat intelligence, information is culled from a variety of sources, both internal and external. At this point, the data is analyzed and strategically used by the defenses of an organization. What this means is that relevant information from throughout the organization’s specific environment becomes part of the security ecosystem.

Putting Threat Intelligence Together

One of the core tenets of a security program is the identification, risk classification, and protection of key core assets. The “crown jewels”, if you will. It makes sense then to protect the entire system of assets with a principle that incorporates the totality of the environment, both internal and external. Sources of information include:

• External threat information (Open source, proprietary, security research, reputation lists);
• Internal log files (system, network, DNS, security systems, firewall, etc.);
• SIEM integration;
• Service desk history;
• Audit information (File and account);
• Internal research (incident investigation, deployment);

A powerful asset

As you enable security teams by putting threat intelligence into action, Threat Intelligence Platform (TIP) becomes an indispensable tool. TIP enables security teams to research security incidents, research suspicious traffic, suspicious behavior, and to validate the security of networks and applications.

Once the organization couples threat intelligence, with the information and knowledge that TIP applies, it achieves a better defense of network-based assets.

Both in the heat of attack or within the act of preparations, the analysis of source information through Threat Intelligence Platform information helps create a virtual consciousness of security awareness and vigilance built on reputation, suspicious registrant information, and more. Being better informed means better protection and actionable conscious decisions.