Understand the Threat Intelligence Cycle
To maximize the use of threat intelligence, it’s important to understand the threat intelligence cycle in all its phases. Planning and direction lead to the collection phase, which in turn leads to analysis, which leads to dissemination, which completes the cycle by leading back into the planning and direction phase.
Planning and Direction
It’s easy to work aimlessly if you don’t have an objective. Defining security objectives and mapping the route to achieving them is exactly what the planning and direction phase — arguably the most important phase of the cycle — is for. In this phase, team members must ask the right questions to best understand an objective, set the scope of work to be done, prioritize resources, and determine the goals, milestones and tasks to be completed along the way to the desired outcome.
This will require support from institutional management. But when this support is given, security teams can jump off the blocks and run a strong first leg before passing the baton for the second phase.
Collecting data is one thing. Gathering relevant threat intelligence data is an entirely different process, and what the collection phase is for. Generally speaking, it’s best to collect data from a wide range of internal sources (network logs, firewall logs) and external sources (open-source data feeds, solution providers), then integrate them.
It can be overwhelming to sift through sources of data about threats, vulnerabilities and indicators of compromise (IOCs) — forensic data that indicates a system or network may have been infiltrated by a cyberthreat. Across the board, however, data of interest will often include items like malware samples, URL queries, Domain Name System queries, endpoints and SaaS applications.
Just as collecting every piece of data can be an overwhelming and not necessarily useful process, analyzing every single piece of data isn’t particularly desirable, either. Data about threats, vulnerabilities and IOCs can be challenging to navigate, but a qualitative approach can make it easier. Additionally, artificial intelligence and machine learning can help by automating this analysis process. Overall, the goal is to make sense of the threat intelligence data to understand why and how an event occurred, and to provide this analysis in an unbiased and objective manner.
A full cyber analysis doesn’t do much good unless it’s delivered to the right people. That’s what the dissemination phase is for: delivering valuable and actionable complete intelligence reports to key people and teams. It’s important to remain aware of the frequency of delivery. A monthly report, for example, may not be frequent enough or may be too frequent, depending on the institution. Finding your institution’s sweet spot can go a long way toward enhancing the planning and direction phase as the threat intelligence cycle continues.
Take a Proactive Approach to Threat Intelligence
When faced with IOCs or indicators of attack (IOAs) — forensic data that indicates a system or network attack still in progress — it’s important to react accordingly. But you can’t stop there. Threat intelligence is most useful when you use it proactively. By asking and answering the questions of what happened and why with each IOC or IOA, security teams are able to use threat intelligence to turn reactivity into proactivity. By informing security practitioners about potential threats, methods, motives and vulnerabilities — threat intelligence enables institutions to plan ahead to mitigate future attacks.
Consider Threat Intelligence Management to Help Combat Challenges
In a rapidly evolving cyber world, threat intelligence isn’t a perfect, one-size-fits-all security solution. Threat intelligence has its fair share of challenges. Threat intelligence management, however, can help combat these challenges.
Palo Alto Networks’ Cortex XSOAR threat intelligence management, for example, is able to orchestrate and automate over 700 integrations, enable real-time collaboration across physically distant team members, unify threat feeds with incident alerts, and more. In doing this, Cortex XSOAR takes full control of your institution’s threat intelligence feeds and enriches every tool and process. This tool results in actionable intelligence, closing the loop between intelligence and action with playbook-driven automation and maximizing an institution’s threat intelligence program.