Threat Intelligence In Practice

May 11, 2016

Threat Intelligence is a long con, requiring more planning, preparation, and a longer window of interaction with the target (i.e., hacker) to execute effectively. It's a lot like one of my favorite movies, The Sting, where Robert Redford and Paul Newman play a long con to exact revenge for the death of a friend. To pull off the con, Redford and Newman brought together a large network of sources, had multiple data sets of information, and acted on those, coordinating dozens of personnel to act in a specific way at a specific time to make the con perfect.

Being able to collect, process, and act on information is Threat Intelligence. Tweet: Being able to collect, process, and act on information is #Threat #Intelligence. via @Idenhaus

My previous post outlined the challenges in developing a Threat Intelligence capability for an organization. Cutting through product hype and selecting a Threat Intelligence solution is the easy part; it’s the ongoing effort required to deploy an effective Threat Intelligence capability that is challenging and most often overlooked. Threat Intelligence takes a lot of time to cultivate, because it’s a combination of technology, process, people, and culture. Given these complexities, organizations need to invest to develop the experience and methods to properly understand and react to threats. None of this is easy to hear when you have a limited budget or are in a results oriented environment.

The purpose of this post is to highlight the aspects of Threat Intelligence that are important to the decision makers: application.

I will show the three levels of Threat Intelligence that exist in in the current marketplace and provide examples of how Threat Intelligence can be applied in different business environments and budgetary considerations. These examples are not all encompassing, but will show how each business can leverage Threat Intelligence to their advantage.

Threat Intelligence in Business

None of these examples are ‘one size fits all’, what is appropriate for one Small Business may not be appropriate for another. These examples establish a baseline capability to develop and support Threat Intelligence for each business case. The examples below are frameworks that outline some methods that each business type may adapt to their environment, or, at the very minimum, hopefully fire up the neurons to get people thinking in the right state of mind for what Threat Intelligence is and how to properly apply it to their business model.

Small Business

Small Business, by definition, does not have the same capital of a large or medium business; hence it will never be able to properly deploy a full-scale Threat Intelligence capability. This does not mean there is nothing for a small business to do; on the contrary, there are multiple ways to apply Threat Intelligence that are specific to each network.

That said, here are a few steps to get a Small Business started:

1. Know your network

Identify each device connected to your network and understand the information it contains.

2. Perform good network hygiene

Ensure all patches are applied regularly and set policies and procedures for how the network should be used.

3. Install anti-virus

This becomes more important when you centrally manage the anti-virus to ensure each system is updated in a timely manner.

4. Review logs and investigate

Most systems have internal logging mechanisms which should be reviewed periodically. Each item of interest should be investigated to ensure a potential network breach is not present

These steps will get a Small Business started on the path to a Threat Intelligence capability. However, what I have outlined is not Threat Intelligence.

The important takeaway here is to monitor your environment and investigate incidents. When you investigate consistently you start to understand your network and see patterns emerge; patterns that will identify when something is a normal part of your network or an outlier. That is the basis of Threat Intelligence.

Medium Business

This is where Threat Intelligence starts to get more interesting, as medium-sized businesses have more resources to tackle threats and will generally have a more mature program. This is the start of a true Threat Intelligence capability that can protect an organization’s network.

A medium-sized business should perform the steps outlined for a Small Business, but it also has the capability to deploy additional resources on the network to give better insight. These resources are both technology and people oriented.

One of the biggest challenges for organizations - especially medium-sized businesses - is to cut through the marketing hype that touts Threat Intelligence as being solely a technical solution. While technology is a foundational component, ultimately the technology only provides data, while the people provide the intelligence. A Medium Business can deploy both people and technology to their advantage. Whether it is through the deployment of network sniffing tools or endpoint protection mechanisms, a Medium Business can better understand the network and the traffic traversing their internal and external network nodes.

On top of that, a Medium Business should also:

1. Establish a Team

A one to four person team to analyze, investigate, and react to situations as they present themselves. The best scenario would be to have one experienced professional leading a team and recommending additional resources as required.

2. Training

Training is an important aspect to any cybersecurity group. There is no good way to elaborate on training requirements in the limited space of this post. However, certifications and formal training are necessary to have an effective cybersecurity team. Cybersecurity evolves, and requires cybersecurity personnel to stay up to date and well informed.

3. Establish Processes

A cybersecurity team requires processes to ensure the most efficient methods for the protection of the network. The most important process is incident response and handling. The understanding of what occurs on your network and how to properly assess the associated datum contributes the most valuable information to a Threat Intelligence program.

Large Business

A Large Business has the most capital to invest and the most experience to create a good Threat Intelligence foundation. Most Large Businesses already have some method of network analysis deployed, as well as some rudimentary investigatory capability. Threat Intelligence in a large business begins with either an appliance from a major vendor or a subscription to Threat Intelligence information, or both.

Despite these investments, a gap often exists in how the information from Threat Intelligence feeds is applied to the business environment. Unlike small or medium-sized businesses, a large organization may have multiple offices across the globe that follow their own procedures and processes, make their own local technology decisions, and operate with some degree of autonomy.

It is imperative to identify each device on the network and understand how the network is employed by its users to identify normal patterns of behavior so an organization can then identify and react to threats (i.e. abnormal patterns).

Takeaways for Large Businesses

1. Invest in Threat Intelligence Tools 

There are two types of Threat Intelligence tools: appliances and subscriptions.

A Large Business may have the capacity to do both, but if that capacity does not exist, how does one choose? The simple answer would be space in a data center, as an application will require one while a subscription will not.

The selection of a Threat Intelligence tool should only be based on two things: price and relevance.

Price is an easy thing to understand and is constrained by the budget for cybersecurity expenses. Relevance is defined by the scope of information provided by the threat provider. Every threat provider has different sources, so the information may not be sufficient, pending the selected provider. This process may be hit and miss, but it is important to understand if the selected threat provider does not provide the proper information a change may be necessary.

2. Big Data

Use big data tools, like Splunk,  to ingest log data from different monitoring solutions, develop standard threat dashboards specific to your organization, and design a new process to query log data and investigate events. Big Data solutions complement monitoring and analysis capabilities by pulling together islands of threat information in your network in a cohesive manner.

3. Build a Dedicated Team 

A Large Business, much like a Medium Business, can build a dedicated Threat Intelligence group. The advantage, like always, is the resources available to build a larger Threat Intelligence group. While there is not an exact science to determine the size, the Threat Intelligence team should be based on the amount of data which needs to be evaluated. It all depends on the skill level of the people and the amount of malicious activity on the network.

4. Information Sharing Processes

Beyond the incident response processes discussed for a Medium Business, the next level of processes forms around how information is shared both internal and external to the business.

A proper Threat Intelligence environment will understand the only way to maintain the Threat Intelligence landscape is by sending and receiving information between other Threat Intelligence organizations. Internal sharing must be done between business units to disseminate information in an effort to make the whole business aware of the threats and issues which pertain to the network.

5. Governance

Establish a Governance Board for Threat Intelligence to include:
- Stakeholders: COO, CIO, CISO, Regional Directors, etc.
- Structure:  Centralized, Decentralized, Hybrid
- Scope: define standards, share threat information/case studies/learnings.


If you enjoyed this post, subscribe to our biweekly newsletter and follow us @Idenhaus for insights on the latest IDM & Cybersecurity news.

This post is authored by Derek Christensen, Director of Cybersecurity at Idenhaus Consulting. 


Tweet: Threat Intelligence In Practice via @Idenhaus #cybersecurity

More News