Infosec teams face a deluge of data every day from an array of network and application sensors as well as warnings from vendor and commercial intelligence feeds. What to do with all that threat intel is a question.
The answer, says Adam Meyer, chief security strategist at SurfWatch Labs, is to put it into context so the team can act on it.
In a blog he warns CISOs that finished intelligence takes a lot of effort — in fact, he calls it a lifecycle process aimed at producing a deliverable that can be used by different groups the organization in numerous ways, depending on the level of threat intelligence.
Is that how your group approaches its job? If not, it’s not serving the enterprise very well. Sure there’s a lot of automation in your process. But, Meyer argues, that isn’t enough: There has to be analysis done by staffers to put the data into a context.
For example, Meyer’s team looks at a threat campaign through what he calls the “Avenue of Approach”, which tries to answer questions such as is there a specific organization or group the actor is going after, what vulnerability is being targeted, who is the payload being delivered, what level of presence (i.e. privileged accounts, database access, etc.) was used to carry out their attack and what is the impact (i.e. stolen IP, service downtime, etc.) caused by the attack.
The goal is to conclude what the threat is, how it works, what it targets, and what the impact is to an organization, Meyer insists. That leads to mitigation steps to help from an incident response perspective or in a risk planning and preparation manner.
“If you can not easily articulate the business benefit from your current CTI (cyber threat intelligence) efforts or have not defined them when looking to stand up a new CTI capability then you might be only collecting threat information and not conducting threat intelligence, ” Meyer warns.
Now is the time for CISOs to think about the threat intelligence their teams generate and the value it creates.