So, with so many negatives about threat intel, why does anyone bother?
The answer is simple — threat intel data properly filtered, vetted, and reviewed by a team with appropriate skills and experience can be of greater value than any other security tool in our arsenal. The operational security team at a large medical organization I work with has been able regularly to use a number of threat intel data points to identify active but unknown threats and vulnerabilities.
The following are some ideas to help turn threat data into true threat intelligence:
1. Get the right people looking at it
Much of the value from threat intel data results from its review by qualified and experienced professionals, who have learned by experience what to ignore, and what to focus on.
2. Make it industry specific
In the past few years, many information security threats have often been stratified by industry. While some threats are strictly random, many are targeted to a specific area of business. As an example, the medical industry has experienced a number of targeted ransomware threats in recent months. We can take advantage of this stratification by seeking sources of intelligence data specific to our industry This approach accomplishes much of the necessary filtering up front. Organizations exist for many industries that can provide some of this intelligence.
3. Keep it timely
Unlike the early days in information security, where the casual hacker ruled, we now deal with sophisticated and adaptable professional criminals. Typically, as soon as they recognize that their campaigns have been discovered, they quickly pivot their attacks. As such, dated threat intel information is, if you will excuse the expression, so last week. To properly use threat data, stay focused on reviewing and acting on it shortly after receipt.
4. Use realizable sources
Coming off of a contentious elections season, we have all learned the term “fake news,” with certain news outlets seeming to have more reliable news items than others. The same distinction applies to threat intelligence. There are good sources and bad ones, and it is not always obvious which is which. It takes careful observation over a period of time to learn what sources you can rely on, and which you would be better off without.
5. Review it against your activities in your environment
Threat data is especially useful when you can apply it against recent activity data from your own organization. If someone in your industry reports that a bad actor is using a particular exploit, reviewing it against your organization’s recent activity can quickly help you discover that the same exploit is being used against you. This approach does require a centralized repository of log information from across your company. Log consolidation systems such as Splunk, include features that allow you to import threat intel data, and quickly review it against your recent activity.
The bottom line? Threat intelligence data can be your best friend, or can use up all of your free time to no avail. It is a great tool, but you must learn to use it effectively in a way that supports your environment.