To address today’s evolving threat landscape, there’s been a shift from traditional event-driven security to intelligence-led security. Threat intelligence plays an integral role in this shift.
When you hear the term “Threat Intelligence,” it’s easy to have preconceived notions of what it means. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” I like that Gartner’s definition does not include intent. Why? Intent implies that the “menace” is trying to target you, but we know that too often this isn’t the case. Pretty much any piece of malware out there will damage unintended targets. One example is Stuxnet. It targeted Iranian nuclear enrichment facilities. Unfortunately it escaped the purported air-gapped system and has been seen in at least 10 other countries. In more practical terms threat intelligence must be:
Tactical. So threat intelligence really needs to be about threats from the outside world that are directly relevant to my organization, along with all the details about those threats. Okay, I can buy that. But once I am able to actually get this information, what do I do with it? There is too much for any one person or team to consume. It needs to be delivered in a format that can be automatically consumed and acted upon by the sentries you have deployed to protect your organization. Not the guards with the guns and whistles, but the firewalls, email security, web gateway, and intrusion prevention system. If you can’t make them smarter, so that they can learn what adversaries are doing and take action, then how is it really intelligence?
Contextual. Context really comes down to more than just a WHOIS function. It has to include relevance. If you operate in the financial services segment, then you need the most up-to-date information on threats that are targeting your sector and not necessarily those targeting mining operations in South Africa. Some standards out there, including STIX and CybOX, are really trying to make this a reality and consistently structure data across disparate security technologies so that the data can be more easily correlated to ensure the most relevant information is delivered. If you’ve never heard of these, be sure to check them out.
Automated. This may seem like a no brainer, but I have to make the implicit explicit. Threat intelligence must continuously feed into your environment to ensure its effectiveness, and you shouldn’t have to press a button to fetch it. Automated doesn’t necessarily mean that it’s turn-key integrated and continuous doesn’t mean every second. Something as simple as an API that can allow communication to and from a device may be all you need.
Extending this “global” threat intelligence, local intelligence provides additional context and information. Based on correlations and analysis of data across your infrastructure, local intelligence makes your sentries even smarter so that they can take more informed security actions specific to your existing environment.
ESG recently wrote a paper on building an Active-Intelligence security system. It discusses the various components that you need, including forensic tools—which so often get left out of the equation until an attack happens! Be sure to check out the AMP Threat Grid pages for information on malware analysis and threat intelligence and see how others are using threat intelligence to improve their business operations.