4 Things You May Be Doing Wrong with Threat Intelligence

Failure to effectively implement threat intelligence as part of a comprehensive cyber defense and risk management programs is common among organizations of all sizes. Yet, all too often, their efforts come up short, impeding their ability to defend against malware, ransomware, hackers and other unforeseen threats.

Let’s take a closer look at four common mistakes organizations are making — along with advice on how to get back on track.

Mistake No. 1: Improperly Defining Threat Intelligence

Threat intelligence has become one of the biggest buzzwords in cyber security. It’s also probably the most misunderstood. Plenty of organizations say, “I want threat intelligence,” without understanding what it is and how they should use it.

The problem is that many enterprises don’t understand the distinctions between data, information and threat intelligence. If I give you an IP address, that’s data. If I give you an IP address with details about a threat attached to it based on research, that’s information. But if I give you an IP address that puts associated threats in context, including adversaries associated with it and their motivations, that’s threat intelligence. Understanding threats at that level of detail, when those reported activities are not within their own networks, helps decision-makers move from a reactive posture to a proactive one as they address threats that haven’t yet hit them.

Threat intelligence needs to be aligned to an organization’s unique security needs. For example, due to the need for high availability and strong control of patient data – and HIPAA (Health Insurance Portability and Accountability Act) compliance concerns– healthcare organizations must prioritize ransomware attacks. Financial organizations are primarily concerned with cyber criminals stealing money, while manufacturing companies’ primary fear is the theft of trade secrets. Recognizing areas of highest organizational risk and matching them to relevant threat intelligence is the first step in creating a threat intelligence program that ensures the best use of resources.

Mistake No. 2: Hiring the Wrong People

The next mistake organizations make is hiring people with the wrong backgrounds to run their threat intelligence organizations. Companies must recognize that different security professionals are suited for different security tasks, and hire accordingly.

There’s a big difference between the skills needed to be in charge of incident response and those required to run threat intelligence. Someone trained in incident response often works in a hair-on-fire environment where the primary focus is “Put it out now, now, now!” That’s great when you’re under attack, but it doesn’t work as well for the measured approach required to create threat intelligence. The two jobs require different methodologies for approaching problems. Think of it as the difference between an emergency room doctor and a general practitioner. Working in incident response is like working in an emergency room where you’re dealing with immediate, life-threatening problems, while someone working in threat intelligence is like a general practitioner who takes the time to research specific problems to keep her patients healthy, and to figure out longer-term solutions to them.

Hiring someone with a background in intelligence, particularly cyber intelligence, to head up a threat intelligence programs will help to ensure that, from day one, the organization will have a leader who understands traditional intelligence standards and practices, as well as how to interpret intelligence and apply that knowledge effectively to improve defenses and reduce organizational risk.

 

Mistake No. 3: Failing to Identify Target Audiences

Too often, threat intelligence organizations don’t fully identify internal stakeholder’s who could make more informed decisions or operate more effectively with the benefit of threat intelligence deliverables. There are three primary levels of intelligence that could benefit a wide range of internal stakeholders: strategic, operational and tactical. Each of these audiences require different messaging and delivery methods.

Strategic intelligence is often most valuable to C-suite executives, including CEOs and Chief Information Security Officers (CISOs). These deliverables provide high-level information about business risks as it relates to a given threat, but not nitty-gritty details about every single threat. They need to know about long-term security trends that might require significant changes to their organizations, such as how they are structured, funded and insured.

The operational audience in the Security Operations Center (SOC) need intelligence about persistent and emerging threats and trends, such as how malware is evolving, and what new threats are on the horizon. Overall, they’re looking for information to help them most effectively apply resources and manpower to keep the organization safe, now and in the future.

The tactical users, members of the SOC staff, need specific indicators of compromise (IOCs), such as virus signatures, IP addresses and the URLs and domain names of botnet control servers so they can apply them to defensive systems to keep the organization safe, and respond to attacks quickly. It is vital to identify both internal and external customers for the threat intelligence team, and develop a suite of reports designed to meet the needs of each level.

Mistake No.4: Not Investing Enough in a Threat Intelligence Program

Quite simply, building and sustaining a robust threat intelligence capability requires a substantial investment. For most organizations, it is not a problem where “we have a guy that does that” should instill great confidence. Compounding the challenge, securing funding for a robust threat intelligence capability using traditional IT metrics proves nearly impossible.

Thinking about the return on investment for threat intelligence requires a mental shift away from traditional security appliances. Instead of commending a security device on the number of detections that it generates, threat intelligence is more appropriately measured against the tremendous amount of time, money, and embarrassment that may be saved by having the right intelligence about threats. Threat intelligence bolsters your ability to understand and dodge threat actors before an attack occurs or by quickly identifying and containing threats by knowing the threat actor’s likely next move.

 

Liked this blog? Watch this webcast “Operationalizing Threat Intelligence” or download this white paper “5 Threat Intelligence Traps to Avoid”