guide to threat intelligence

Posted by millikan at 2020-02-27

Guide to Threat Intelligence

Tuesday, September 20, 2016

Although some people in the Internet world think that threat intelligence is a new buzzword, in fact, intelligence has been around us for a long time. The government has already taken advantage of intelligence in diplomacy, battlefield and counter-terrorism. In order to gain competitive advantage and seize market, sales and financial business information, companies have also applied intelligence tactics. The concept of intelligence is proven.

Network Threat Intelligence (CTI) is the same concept - understanding actors, threats, situations, risks, and the interrelationships among all these elements, but only limited to the network world. It is helpful to extract the full value of Threat Intelligence and avoid falling into common traps to set up appropriate expectation for threat intelligence received, implemented or planned to be implemented. There are several guidelines for what Threat Intelligence is, is not, and for whom.

Information is not intelligence

Information is certainly part of the intelligence process, but intelligence and information are completely different. The example of "information" can be seen in the attack indicator (IOC), but the IOC itself is not intelligence. It may add some details to intelligence, but IOC must be studied, analyzed, and put into context and company scenarios. Threat Intelligence is far more than one or a group of threat indicators. It needs the spy intelligence technology to evaluate and analyze the intention, opportunity and ability information of malicious elements. To move from information to intelligence, you have to: plan, collect, process, generate, and diffuse analyzed information. This information must be specific to the company to ensure its value and importance.

Information contains assumptions and inferences, but never assume that your assumptions are complete. Threat Intelligence is not a definitive science, it's sticky. Good intelligence can greatly promote security results, while bad intelligence can bring you into the ditch. So, although it usually involves a certain degree of assumption, it also requires reliable information, experience and wisdom to make a good judgment. Intelligence analysis is usually based on imperfect / incomplete data sets. Confidence assessments (such as high, medium, and low) are a good way to add context, and additional research that supports these assessments can add weight.

What the information gives you is more than a story. Your online story is certainly an important part, but good intelligence should provide conclusions. What's the end of the story? Based on threat analysis, environment, risk level, impact, etc., what are the recommended mitigation measures for the company to improve the situation? Which assets are more at risk? What is the focus of network defense? Evidence and logic must be an important part of the analysis to reach a conclusion. And remember: sometimes stories develop. Information is always updated, so it's particularly important to keep up with the trend when something new comes along and determine whether it will change or expand the story.

There's no Real-time Threat Intelligence

Real time Threat Intelligence is just data. Threat intelligence needs research and analysis. However, speed is very important, and automation also plays an important role in the process of comprehensive intelligence collection and processing, but analysis always needs human expertise. And it will take a while. Anything in real time is more data than intelligence.

Intelligence is not a platform, tool, or feedback; it's a capability

Platform, tool or feedback is the way to deliver intelligence, but creating intelligence requires a close combination of people, process and technology. Intelligence delivery is of course very important, because different users have different consumption needs, but intelligence is human (research, interpretation, analysis, delivery and consumption of final intelligence analysts, risk officers and department operation and maintenance personnel), process (how intelligence is collected, processed, analyzed, delivered and consumed), and Technology (used to collect data, automatic classification and a certain degree of analysis , visualizing data trends, etc.).

Intelligence should be deep, but concise. Even if the process of reaching a conclusion is rich in data and evidence, an intelligence report should not let the reader turn pages or sink into background knowledge. The report should not show how much you know, but should pay more attention to what the intelligence consumers need to know, help them take appropriate actions, and finally make the security situation better. In short, intelligence should be used in a timely manner and provide the required support and depth.

Information should include company characteristics, internal data and understanding of external events of the company. Using only internal or external threat intelligence can only illuminate one corner of the threat maze. Have the ability to compare / correlate internal and external intelligence to provide an accurate risk view of the company.

Who does Threat Intelligence serve?

Finally, we need to consider the issue of information consumption. It's not just actual defenders who need Threat Intelligence. Different types of intelligence have value and support different use cases. Traditionally, for very strategic reasons, threat intelligence is used only within the security operations center (SOC). However, from a broader risk management perspective, intelligence also helps to connect the company's nodes.

Again, cyber Threat Intelligence is more than just another set of tools or layers of protection for companies. It is a capability that can drive more effective network security decisions and more investment, and can help companies reduce risk in many areas.