Cyber Threat Intelligence (CTI) is a hot buzzword in the world of cybersecurity. Many enterprise organizations are beginning to build out a dedicated threat intelligence program, focused on proactively identifying and hunting cyber threats before they are carried out as an attack. This has become an increasingly important function within a cybersecurity organization, but as is the case with any new solution, there are a variety of challenges.
In this blog series, we'll outline 6 strategies that organizations can use to upgrade their threat intelligence program, and share video clips from recent webinar we hosted.
Part 1 focuses on using your digital footprint to bring relevancy and context to your intelligence.
Threat Intelligence Challenges
Data, information and intelligence are not all the same. There’s definitely no shortage of cybersecurity and incident data out there. There are tons of feeds, information and reports, and as a result, there is a lot of noise for cybersecurity teams to process.
The problem with ingesting data feeds and IOCs is that this information is usually generic. Simply getting a list of IPs or domains that are “malicious” or “bad” without any context doesn’t provide you with much value, and usually requires your team to research further. For your intelligence to be useful, it must contain context and help your team understand how it relates to your organization and what steps should be taken to mitigate the threat.
The challenge is turning this data and information into relevant and actionable intelligence. Cybersecurity teams are usually understaffed and underfunded, meaning employees need help prioritizing and processing security alerts. Your team should be working smarter, not harder, and the right intelligence can help them do that.
Applying Context and Relevancy
When it comes to threat feeds and alerts, most organizations don’t get the context and relevancy they need. As a best case scenario, you may able to tie that alert back to a specific piece of malware, threat actor or specific industry, but again, this is too generic to be useful and generates a lot of noise for your team to process.
To make threat intelligence relevant, you need to know how that threat applies to your organization and your customers. Rather than knowing about a new malware campaign, I’d rather know about new malware being written to attack my organization. Or instead of learning about a generic DDoS attack, I’d rather know about an attack against one of my domains.
This kind of intelligence is much more valuable because it helps me identify issues that directly impact my organization and helps me proactively prepare for and mitigate the threat.
So how do you apply this relevancy and context to your threat intelligence?
Using your digital footprint, you can make your intelligence much more relevant and actionable. Your digital footprint consists of your company’s various external-facing digital assets, including your different domains, IPs, brand names, social media accounts, and any other digital property that could be used as an attack vector.
Once you have these digital assets mapped, you can apply them to your various threat feeds and reconnaissance activities for relevancy and context. For example, if one of your employee logins is posted on a paste site, you’ll want to know so that you can change the password for that account. Or if there’s a new Facebook page impersonating your brand and/or company name, you’ll want to be alerted so that you can request a takedown from Facebook.
This context enables faster and more specific security action, which greatly increases the value of your threat intelligence.
Not all intelligence is created equal. Generic alerts and security “noise” can overwhelm your team and distract you from the real issues. Being able to focus on the specific threats and risks that target your organization helps you respond to threats faster and more appropriately, while enabling your team to operate more efficiently. Your team is only as good as their intelligence; make sure you are leveraging your digital footprint to provide them with contextualized and relevant threat intelligence.
Stay tuned for parts 2 through 6 in the coming weeks.
Want to read more on how cybercriminals target digital footprints in their attacks?