Skip to content

Page305

Threat Intelligence

Understanding adversary tactics, techniques, and procedures can allow organizations to make better-informed choices regarding defensive security investments. Threat intelligence concerns itself with approaches to facilitate the generation, sharing, and consumption of data about adversaries. Threat intelligence generation focuses on documenting details pertaining to adversary activities in a way that enables rapid communication and use of this data. Standard means of describing and formatting threat intelligence becomes vital when trying to rapidly communicate these details in a scalable fashion.

Consumption of threat intelligence consists of receiving, analyzing, and incorporating the details into an organization’s security operations. Again, standards-based approaches to structuring threat intelligence have proven vital in facilitating the ready integration of threat intel.

Threat Feeds

Not every organization has the time, skill, or staffing level required to engage in robust threat intelligence generation. Further, even if an organization possesses threat intel generation capabilities there will still be a need to leverage threat intelligence generated externally. Threat feeds provide a third-party source of threat intelligence. Threat feeds come in many shapes and sizes. They might be free or exorbitantly expensive. Threat feeds might be available only to verified organizations operating within a particular industry or available to the public. Naturally, the quality and sophistication of the intelligence can also vary drastically.

Information Sharing and Analysis Centers (ISACs)

For many organizations Information Sharing and Analysis Centers (ISACs) can serve as a valuable source of threat intelligence that could be more overtly related to the organization’s industry. ISACs exist for many different business sectors and generally require organizations to apply for membership. ISACs provide a non-public means of sharing intelligence related to the particular ISAC’s industry.

Threat Hunting

Ideally threat intelligence will be received in time to instrument proactive protection and detection measures in advance of an organization having encountered the particular threat pattern. However, the ideal case certainly will not always be the actual case. For this reason, threat intelligence guided detection, known as threat hunting, proves another prominent use case of threat intelligence. Threat hunting involves organizations looking for indicators of intrusions or adversary activities despite not having, or either overlooking, specific reasons to believe they will be found. This approach to detection can complement the more traditional alert-driven detection most commonly employed by security operations.