Understanding how data becomes intelligence is central for any successful security program

Threat intelligence is one of the hottest terms in information security at the moment. But, as with so many buzzwords, it is often overused and misused. All the buzz has created a lot of confusion.

Most of it stems from claims that threat data (aka threat feeds) is threat intelligence, when it is only a piece of the puzzle. Threat data becomes threat intelligence when the data is enriched with threat context to produce relevant, actionable information that enables organizations to better align their security and business goals.

Threat data is a raw collection of malicious domains, IP addresses, or hash values that does not provide any context on attacks or threats.

While threat data does have its use cases, its benefits are limited without context to allow security teams to make informed decisions. To properly utilize threat intelligence an organization must have a clear vision of what it seeks to achieve by introducing it into its security program. Without it, a threat intelligence program can become an expensive drain on resources and deliver little or no real value.

Data quality

While data feeds are vital to a threat intelligence program: not all sources are created equal.

While there are many sources of threat intelligence, the most common sources are: malware processing, scanning/crawling, honeypots, human intelligence, and internal telemetry. Threat intelligence is normally either provided as an open source, free resource, or a paid subscription.

To derive maximum benefit from these data sources, organizations need a good understanding of the source of their feeds, so they can evaluate the data relative to their internal intelligence.

The best feeds are updated and relayed at near real-time. Digesting old or incomplete data can lead an organization to focus on the wrong objectives which can result in data overload and alert fatigue. This is especially true in the days of cloud computing where IP addresses can be released and re-used several times a day.

Data enrichment

The key to a successful threat intelligence program is performing proper analysis of each data feed — to gain the context needed to make operational changes and secure the environment.

Incorporating threat intelligence into an existing security program can lead to disappointing results without careful planning and execution. For example, a manufacturing company incorporating threat intelligence from an FS-ISAC (financial services sector) will be unlikely to achieve their desired results; since this particular source of intelligence will have a financial services context, and is not focused on threats relevant to their industry.

Security intelligence and business goals

A fundamental for success is ensuring that the threat intelligence program aligns with business goals. The best way to do this is to assess how specific data feeds will solve security issues related to specific business operations.

Generally when an incident occurs, very little is known about its scope or severity. Knowledge is typically limited to a single alert or indicator which must be enriched with proper context and intelligence to pivot from this first event and determine the full scope of the potential incident. Such vagueness is typical of the most advanced attacks, which hide behind sophisticated coding or malware. A security team must triage and assess each event to determine its veracity and severity, in order to determine whether it warrants more attention (investigation).

During both stages, the security operations team often relies on threat intelligence to determine the possible scope of the event and its potential for damage. For example, an alert about a file may contain just a hash indicator. Manual analysis may uncover other indicators, but such analysis is time-consuming.

Using automation correctly

A better approach is to deploy an automated threat intelligence enrichment system.

While analysts can take minutes or even hours to pivot from malware analysis to indicators across the network, an automated approach can do the same work in seconds. Automated threat intelligence enrichment can be used to implement predictable and repeatable processes that are both fast and efficient. This approach also frees analysts from the tedious and error-prone task of gathering and verifying data, freeing them up for value-added analysis and threat hunting.

The goal of threat intelligence is to use data to improve security and provide greater visibility, so security staff can prioritize remediation actions based on the risks they pose to the business.

Choosing the ‘right’ data feeds is the first step, but setting up the mechanisms and workflows to mine it, enrich it and turn it into actionable intelligence are more important.