Threat intelligence has become a near-universal component of modern cyber security strategies. According to a recent SANS CTI survey, in 2020 we saw more personnel dedicated to CTI functions than ever before, while collaboration with both internal and external teams was maintained and even improved.
And while adding threat intelligence personnel is an important step toward upgrading your security operation, it’s not enough.
Not all threat intelligence is created equal. Compared to generic insights about emerging attack vectors, targeted threat intelligence gives your teams the intelligence necessary to pre-empt and neutralize attacks before they can harm your business.
But if it were easy to bridge the gap between generic and targeted threat intelligence, every CISO would do it. To build a proactive cyber security strategy for your organization, you need to turn common challenges for threat intelligence into opportunities.
The 3 Challenges of Targeted Threat Intelligence
Information sharing can give you a feed of generic cyber threat intelligence. But achieving truly targeted threat intelligence that is specific to your industry and organization requires real-time service. That means you have to find ways to translate threat intelligence into tangible mitigation steps, overcome budget constraints, and address internal skill shortages.
The roadblocks on the path to targeted threat intelligence go beyond these common issues, though. Your ability to turn the following challenges into opportunities is critical to success.
1. Leveraging Human Expertise to Interpret Threat Data
It’s crucial to have access to the right “people skills” – those individuals who understand the context behind threats and can carry out the right processes to make threat intelligence applicable to your needs.
This is important to point out – because it often requires a combination of methods such as dark web monitoring, open-source (OSINT), machine readable (MRTI) and human intelligence (HUMINT) to fully understand which threats are targeting your organization.
Yes, the use of automation can help significantly in alerting you to IOCs in a timely manner. But ultimately you need to be able to prioritize these, match them to data across your estate so you can see whether you’re being targeted, attribute these to steps in the attacker lifecycle, and take appropriate action to mitigate the threat.
Many organizations already have automated threat intelligence enrichment that is included in their existing security controls. Yet, the processing part of the threat intelligence process – such as reverse-engineering - is often either manual or semi-automated, because of how critical this stage is.
It’s a matter of having the personnel in place to interpret information and feeds so they can disseminate them in a way that is consumable for users and allows them to take the appropriate action to protect themselves, for example:
- Identifying any vulnerabilities that a company has, which are being exploited in the wild
- Using data to proactively hunt for evidence that an attacker breached the network
- Carrying out site takedowns to protect brand reputation
- Clustering attacker TTPs associated with specific threat actors, to prioritize threat actor groups targeting a business
- Carrying out targeted attack simulation exercises based on the most likely threats
- Prioritizing relevant security and incident response controls v
2. Measuring the Value of Threat Intelligence
With threat intelligence going mainstream, there’s a common challenge that keeps teams from maximizing its potential—understanding how to leverage the information collected.
Implementing threat intelligence for the sake of keeping up with security trends can cause teams to misdirect budgets and resources. Leveraging targeted threat intelligence effectively requires a deep understanding of the value these insights bring to the organization. Whether you’re trying to identify insider threats more efficiently, put a stop to social engineering attacks, derail DDoS attacks before they occur, or eliminate supply chain risks, knowing your goals will make targeted threat intelligence more effective.
This all starts with defining requirements and KPIs up front. Having a documented approach to measurement will make it easier to track progress and prove value to key business stakeholders. A few potential threat intelligence KPIs include:
- Percentage of identified threats directly attributed to intelligence
- Instances of project re-prioritization due to threat intelligence
- Response times for threats before and after implementing intelligence
- Number of alerts generated by threat intelligence services
- Efficacy of threat intelligence feeds, including when new data is added and when it expires
3. Collecting Information from the Right Sources
When you have the right automated processes and AI-powered systems in place, it may seem like there’s no such thing as too much information. However, the key to targeted threat intelligence is just that—targeting. Make sure that you’re collecting data from high-quality, relevant sources that will deliver the insights necessary to improve overall cyber security.
Knowing what kinds of data sources you’re using is important. Are you pulling raw data? Is the data public or private? Have you gathered information from the dark web? When you’re able to gather data feeds that work specifically for your needs and minimize redundancies, you’ll be able to sustain targeted threat intelligence.
Collecting information from the right sources ultimately comes down to these four considerations:
- Data Collection Gaps: The quality of your threat intelligence data won’t matter if there are gaps between your sources. Context is crucial in targeted threat intelligence, so you need to make sure your sources overlap in a way that minimizes redundancy while maximizing coverage.
- Source Reliability:
The garbage in, garbage out principle plays a role in threat intelligence. You need to be able to trust the insights your threat intelligence program generates. Otherwise, you’ll never be able to prioritize your response plan.
- Third-Party Strategy: If you’re working with a managed service provider, do you know what their data collection strategy looks like? Don’t blindly partner with a provider. Ask questions and ensure that their data collection will lead to high-quality insights without gaps.
- Risk Profiling: A risk profile plays a crucial role in achieving targeted threat intelligence. When you understand risk within your organization, you can prioritize cyber security investments. And when risk profiles are supported by threat intelligence insights, you’ll know that you’re taking the most efficient approach to business protection.
Bringing Threat Intelligence to Your SOC
Effective threat intelligence has a lot of moving parts. But just because there are challenges doesn’t mean you have to remain content with generic insights. With the right strategy and managed threat intelligence partner, you can turn these challenges into opportunities and unlock valuable insights for your business.
If you’re looking for more tips on data collection, value measurement, and automating threat intelligence, we have a library of resources called the Cyber Hub that can help. Check out the Cyber Hub and sign up for our email newsletter so you can stay ahead of the latest news in threat intelligence.