To continue our blog series on how to upgrade your threat intelligence program, we turn to part 3: leverage automation and integrations. The longer a threat goes unmitigated, the bigger risk it poses. That’s why automation is key to an effective threat intelligence program. Using integrations and automated remediation can significantly reduce your time to mitigate threats--making your team more efficient and lowering your overall cyber risk.
Here is how organizations can leverage automation and integration to increase the overall efficiency of their threat intelligence program.
Operationalizing Your Threat Intelligence
Operationalizing your threat intelligence is a key part of a mature threat intelligence program. You may find some great solutions or services that provide you with a lot of information, some of it better than others, but you still need to have people available to take action on it. Here are some common examples of threat mitigation you can automate through integrations and policies.
Phishing is one of the most common tactics used by hackers. You may get an alert about a phishing domain or website that you want to block in your mail gateway, firewall or proxy. Having this intelligence fed directly into your security devices to automatically block that threat (instead of relying on manual blocking) will significantly reduce the incident response time. It also reduces the labor needed to manage this intelligence, which is already a scarce resource for threat intelligence teams. So any time savings you can achieve are incredibly helpful.
Another example is taking down threats on other web properties, like social media or application stores. Let's say you identify a suspicious social media page leading to a phishing site. You'll want to engage with that social media platform to initiate a takedown of that page. This process often involves your legal department or an external law firm, which can significantly extend the time it takes to remove the page. Leveraging automation and takedown partnerships can help reduce the time and effort needed to remove external threats.
Compromised Email Credentials
There are tons of credentials that are compromised every day through a variety of channels around the globe. The bigger your organization, the more credentials you have. Many employees use their work emails to sign up for various services and logins, which can complicate the identification and mitigation process. It's one thing to identify if an email address has been leaked, but you also need to know if that account is still on your network so you can determine the impact to your organization.
Integrating this intelligence with your Active Directory helps you automatically identify compromised credentials that pose a direct threat to your organization. Furthermore, if they are an active employee, you can automatically configure certain mitigation actions, like password resets, account locking or forcing a password change on the next login.
Operationalizing your threat intelligence enables you to take action quickly without your team spending cycles on repetitive tasks. Instead, they can focus on strategy and more proactive threat hunting.
Stay tuned for Part 4 coming next week. If you'd like to catch up on our previous posts in this series, you can do so here:
- Part 1: Leverage Your Digital Footprint for Context and Relevancy
- Part 2: Focus on Action, Not Searching
Want to learn more about threat hunting best practices?