How do you put all the threat intelligence components together?
Welcome to the latest edition of our ongoing blog series, Threat Intelligence for the 99%. In the last two editions of our series, we’ve looked at cyber threat intelligence (CTI) feeds and tools and discussed how to identify and implement the right ones for your organization.
This week, we’re taking a deep dive into how to stitch all the pieces needed for a comprehensive and effective CTI program together. As we’ve said many times in this series, this process is not for the faint of heart and it takes skill and perseverance. But if you do it right, your organization could reap significant benefits.
Integrating cyber threat intelligence into your gear
At this point, you’ve gone through the process of determining the feeds and tools you need for your CTI program. You’ve got some data, you’ve gone through the manipulation process and now you want to do the thing that got you started in the process to begin with: take that data and turn it into action for your organization.
First Action: Feed this information into your gear through your integrations. You want to push it to your firewall, intrusion detection system, file integrity management, web proxy and other systems. The good news is, your gear probably already has mechanisms to consume this information. If it doesn’t, you probably have problems deeper than we can get into in this series.
Second Action: Integrate this information with your security information and event management (SIEM) systems and response processes. There’s a big debate about whether you should start with SIEM or not. SIEM can help tell you if bad things got through your perimeter, both in the present and in the past. You may find you’ve already been infected or bad things are currently running through your system.
At this point, you have introduced intelligence into your prevention, detection and response environments. You now have intelligence to action.
CTI governance and reporting
So now that you’ve got action, there’s another critical piece for continuing success: you need a strong information governance policy and a procedure by which you ensure your program is doing what it needs to do for you. This should include:
- Checking your feeds and ensuring they’re not stale
- Checking your tools for efficacy and making sure they’re updated and running
- Checking in on your enrichment process so that’s all square, too.
Doing this kind of stuff isn’t cheap. You’re talking at least six figures. And to justify that kind of expense, you will be required to provide executive reporting back to the organization. Otherwise you’ll be getting lots of questions about why you spent so much on this.
My advice is to stick to no more than one to three metrics to prove your program is working. The one I’ve often used can be described as “feed to action time.” This is a measurement of the timespan of when an indicator enters your feed and that data turns into actionable intelligence for your business. It’s a great way to demonstrate the efficacy of your program. It shows the process is working in protecting your environment.
You can provide metrics on how many bad things you’ve blocked, but to me that doesn’t provide a tremendous amount of value. Just because you have an IP address, you’re guaranteed to get attacked pretty much all the time. It’s a FUD (fear, uncertainty, doubt) tactic to just show how many times you’ve stopped attacks. I would prefer driving executive reporting on time to value, not FUD.
Sharing threat intelligence information with the world
Now that you’ve gone through this entire process of acquiring threat intelligence feeds and tools, gathering your data, pushing it to gear and reporting it back to your organization, you might be starting to feel a bit altruistic. I might suggest sharing what you find with the world.
If you’re at this point in your journey, and you’re doing real cyber threat intelligence, you should share. The internet is a scary, dangerous place. The only way we’re going to protect it is as a group. It’s the herd immunity concept: the more people are inoculated against a problem, the less likely it is to spread.
The industry of intelligence came up with the concepts of Structure Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) to provide a standard nomenclature and taxonomy for feeding this information. When you want to share what you’ve found with your peer groups, you’ll most likely be producing that intelligence in the STIX and TAXII feeds.
Consulting your legal team before turning this information loose is imperative. You can’t just post this stuff on the web without considering factors like attribution, liability and coverage from the government. Make sure that you're not divulging intellectual property that's unique to you and that that you have good information governance in place so you’re sanitizing the data correctly and you're not putting customer data in there.
Also, understand the nature of the relationship you have when it comes to sharing CTI. In my experience, sharing with the US government tends to be a one-way deal. Most of the time things go in and nothing comes back. You will be better off in a smaller peer group sharing model, because they are more likely than the government to provide you useful information.
Now, with all these tasks complete, you’ve built your CTI program. Kudos!
The next edition of our series will be the last one where we provide you key takeaways on building your CTI program.
Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth 935 from March 4-8.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly