Turn Threat Data Into Threat Intelligence

Threat intelligence has now been a favorite of the information security industry now for some time.

It is a powerful concept, let someone else deal with an attack or exposure, and use their experience to prevent the same problem in your organization. Since there are free sources for a tremendous amount of such data, it seems like a great deal.

The great deal is not always as good as it seems, however. Threat intelligence information is quite often wrong or misleading. As has been mentioned, "These are the threats that keep me awake at night," a Vermont electric utility, responding to intelligence information in a US government joint forces statement, called in the FBI to investigate what turned out to be an employee’s innocent attempt to read their email on Yahoo.

Unvetted threat intel is a bit like getting raw data feeds about the stock market. Responding to such data, you may be the next investment millionaire, or you could completely lose your shirt. You need to filter through it to eliminate the useless portions, and carefully weigh the balance.

As Malcovery Security said in a blog some months ago, most of what the industry refers to as threat intelligence is really just threat data. It is just a list of data elements, full of noise and false positives. Until the intelligence part is applied to this data feed, it is fairly useless, or even worse, may lead to false conclusions.

According to Mark Orlando in his presentation to the RSA Security Conference in 2015, raw threat intel data is highly commoditized, has poor quality control, a short shelf life, and promotes a false sense of awareness.

So, with so many negatives about threat intel, why does anyone bother?

The answer is simple, threat intel data properly filtered, vetted, and reviewed by a team with appropriate skills and experience can be of greater value than any other security tool in our arsenal. The operational security team at a large medical organization I work with has been able regularly to use a number of threat intel data points to identify active but unknown threats and vulnerabilities.

The following are some ideas to help turn threat data into true threat intelligence:

Get the right people looking at it

Much of the value from threat intel data results from its review by qualified and experienced professionals, who have learned by experience what to ignore, and what to focus on.

Make it industry specific

In the past few years, many information security threats have often been stratified by industry. While some threats are strictly random, many are targeted to a specific area of business. As an example, the medical industry has experienced a number of targeted ransomware threats in recent months. We can take advantage of this stratification by seeking sources of intelligence data specific to our industry. This approach accomplishes much of the necessary filtering up front. Organisations exist for many industries that can provide some of this intelligence.

Keep it timely

Unlike the early days in information security, where the casual hacker ruled, we now deal with sophisticated and adaptable professional criminals. Typically, as soon as they recognize that their campaigns have been discovered, they quickly pivot their attacks. As such, dated threat intel information is, if you will excuse the expression, so last week. To properly use threat data, stay focused on reviewing and acting on it shortly after receipt.

Use realizable sources

Coming off of a contentious elections season, we have all learned the term "fake news," with certain news outlets seeming to have more reliable news items than others. The same distinction applies to threat intelligence. There are good sources and bad ones, and it is not always obvious which is which. It takes careful observation over a period of time to learn what sources you can rely on, and which you would be better off without.

Review it against your activities in your environment

Threat data is especially useful when you can apply it against recent activity data from your own organization. If someone in your industry reports that a bad actor is using a particular exploit, reviewing it against your organisation's recent activity can quickly help you discover that the same exploit is being used against you. This approach does require a centralised repository of log information from across your company. Log consolidation systems such as Splunk, include features that allow you to import threat intel data, and quickly review it against your recent activity.

Automate it

Taking the above comparison to logs of your recent activities one step further, it is often possible to automate the receipt and processing of threat data, such that an alert is generated when a high value match has been found.

Stay on top of it

It is easy to get mired in a large amount of inbound data. Recognise its potential value, and stay with it. Constantly refine your processes so that you can use the data more effectively with fewer man hours.

The bottom line? Threat intelligence data can be your best friend, or can use up all of your free time to no avail. It is a great tool, but you must learn to use it effectively in a way that supports your environment.

Computerworld

 

« Facebook’s Shifting Attitude To Controversy
Technology Will Demolish Slow Internet Speeds »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

FlashRouters

FlashRouters

FlashRouters offers DD-WRT compatible router models with improved performance, privacy/security options, and advanced functionality.

CybergymIEC

CybergymIEC

CybergymIEC is a global leader in cyber defense solutions and training services.

Honeynet Project

Honeynet Project

The Honeynet Project is a leading international non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools.

STM

STM

STM provides system engineering, technical support, project management, technology transfer and logistics support services for the Turkish Armed Forces.

RiskXchange

RiskXchange

RiskXchange's cybersecurity risk rating solution helps businesses solve complex cybersecurity and compliance challenges by providing a 360-degree view of your cybersecurity posture.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

Cyber Skyline

Cyber Skyline

Cyber Skyline is a revolutionary cloud platform to practice, develop, and measure your team's technical cybersecurity skills.

Bleam Cyber Security

Bleam Cyber Security

Bleam is a leading provider of Managed Cyber Security Services and Information Security consulting. We deliver enterprise class security services to UK SME’s to stop data breaches.

Panacea Infosec

Panacea Infosec

Panacea Infosec is a leading provider of information security compliance services. We help our clients in protecting their data, reducing security risks and fighting cybercrime.

MAXXeGUARD Data Safety

MAXXeGUARD Data Safety

MAXXeGUARD: The High Security Shredder. MAXXeGUARD easily destroys hard disks up to the highest security levels as well as other digital data carriers like SSD’s, LTO’s, USB’s, CD’s etc.

Panther Labs

Panther Labs

Panther’s mission is to make security monitoring fast, flexible and scalable for all security teams.

GrayMatter

GrayMatter

GrayMatter provides Advanced Industrial Analytics, OT Cybersecurity, Digital Transformation and Automation & Control services to clients across the U.S. and Canada.

Digital Security by Design (DSbD)

Digital Security by Design (DSbD)

Digital Security by Design is an initiative supported by the UK government to transform digital technology and create a more resilient, and secure foundation for a safer future.

SignMyCode

SignMyCode

SignMyCode is a one-stop shop for trusted and authentic code signing solutions to safeguard software.

SecureDApp

SecureDApp

SecureDApp is a blockchain security company that specialises in offering comprehensive security solutions to companies operating in the web3 space.