Organizations today cannot depend solely on reactive security practices as cyber threats continue to evolve in terms of both frequency and complexity. It’s now essential that organizations have a proactive approach when it relates to identifying, understanding, and responding to an organization’s risk exposure from emerging threats. That’s where actionable threat intelligence fits in. Actionable Threat Intelligence is much more than just raw data or generic alert information. It provides the necessary context, relevance, and direction for security professionals to make educated decisions and effectively act upon the information provided.
This article will review some best practice approaches experts use to take advantage of actionable threat intelligence to help their respective organizations stay ahead of their current and future cyber risks.
The Importance of Actionable Threat Intelligence
Actionable Threat Intelligence has to do with the application of actionable threat information. Most traditional threat information does little to nothing to aid security professionals in identifying a risk or responding to that identified risk as quickly as possible. In contrast, actionable threat intelligence aids security professionals beyond simply identifying a risk through detailed analysis of the identified risk; it identifies specific vulnerabilities associated with the identified risk and specifies clear actions required to mitigate the identified risk. As such, actionable threat intelligence enables organizations to prioritize identified threats based upon their expected negative impacts on the organization’s assets (i.e., people, processes, technology, etc.), and thereby optimize the use of organizational security resources.
In addition, a recent survey conducted by The Ponemon Institute revealed that organizations utilizing actionable threat intelligence were able to reduce their average time-to-detect/detain for security breaches by approximately 40%. Thus, this research also supports the significance of actionable intelligence in reducing the overall financial loss due to cybercrime, and ultimately supporting an organization’s ability to continue operating normally during times when they are being subjected to a malicious attack.
Building a Solid Foundation: Data Collection and Validation
The first important aspect of actionable threat intelligence is collecting a complete picture of your organization’s potential vulnerabilities through gathering data from both inside your organization and outside. Data can be gathered from many different places, including your organization’s own logs, dark web monitoring, open source intelligence (OSINT), and commercial threat feeds. While it is crucial to gather as much data as possible, there is no reason to assume every piece of data has equal value. Therefore, security personnel have an obligation to assess each piece of data collected to eliminate “noise” or non-relevant data before focusing on identifying and assessing the most critical threats to their organization.
Security professionals recommend using automation to assist with the initial large amounts of data and to sort and correlate this data. Automation excels at quickly processing large volumes of data. However, even with automation being used in the process of analyzing and correlating the data, it will always require a security professional to verify the relevance and validity of the results. It is also recommended that regular reviews of the various sources of intelligence and correlation rules be conducted by security professionals. These reviews will help ensure that the only data considered during the decision-making process is relevant and has been validated by either the automation system or a security professional.
Contextualization: Making Intelligence Relevant
One common problem with threat intelligence programs is not making the data fit the organization’s situation. Good threat intelligence must take into account the things an organization has, its weaknesses, and its risk level. For instance, a problem with a system might not be a big deal if that system is not being used on the organization’s network.
To make threat intelligence more useful, security teams should:
- Make sure the intelligence matches what the organization cares about, like keeping systems safe or protecting customer information.
- Connect threats and weaknesses to the organization’s assets, how it works, and who it relies on.
- Regularly update lists of assets and risk assessments to reflect changes in technology and the business.
By making threat intelligence specific, organizations can stop wasting time on alerts that don’t matter and focus on what really needs attention.
Operationalizing Threat Intelligence: From Insight to Action
The ultimate value of actionable threat intelligence lies in its operationalization. Intelligence must not only inform, but drive tangible action across the security lifecycle. The integration of Threat Intelligence will also enable the implementation of the above-mentioned processes as well: Incident Response, Vulnerability Management, and Security Awareness Training. An example of a “best practice” is to define specific and formalized procedures/flows for processing and reacting to High Priority Intelligence. If Intelligence indicates that there is an imminent Phishing Campaign being launched against Executives of the Organization, it is imperative that the Security Team immediately implements Email Filtering Rules, informs affected users, monitors for Signs of compromise, etc. In addition to this, Actionable Threat Intelligence must be integrated into existing Security Controls, including Firewalls, Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), automated Playbooks, etc. While Automation can significantly reduce the time required to react to identified Threats, these must be reviewed and updated on a regular basis to ensure they remain relevant and effective in protecting against new or evolving Threats as well as meeting changing Business Needs.
Collaboration and Information Sharing
Organizations cannot operate in a vacuum. The ability of an organization to share actionable threat intelligence among trusted partners, both within the industry and with various levels of government, will help to better defend all organizations collectively.
Sharing threat intelligence is most effectively accomplished through either information sharing and analysis centers (ISACs), which have provided venues for organizations to exchange threat data, tactics, and ways to mitigate threats, or through other venue types that are specific to each type of organization. Organizations wishing to collaborate on this effort need to establish secure methods for sharing sensitive information while protecting members’ right to privacy. This may be best done by establishing formal agreements that include standardized formats such as STIX/TAXII so that the data exchanged is compatible.
Finally, organizations should also determine if there are communities in which they participate regarding threat intelligence that relate to either the organization’s industry or geographic location. These communities typically will alert members to emerging attacks using new techniques or campaigns before those attacks occur.
Measuring the Impact of Threat Intelligence Programs
To continue being effective and relevant, organizations need to continually evaluate how their actionable threat intelligence programs are performing.
To evaluate performance, the organization needs to track several different types of metrics, including:
- Time to detect and respond to security breaches
- A reduction in the number of false alarms (alert fatigue) and a corresponding decrease in the number of non-actionable alerts
- The actual number of threats that were either stopped or reduced due to having access to timely intelligence.
- User participation and feedback from security awareness programs that utilize intelligence.
Feedback loops are really important for getting better all the time. Security teams should talk about what happened after problems and figure out what did not go wrong and where they could have gotten better information to do something about it. These lessons can help organizations make their information gathering better, change how they respond to problems, and teach their analysts things. The security teams should use these lessons to make their work better and do it again and again to get better at handling incidents and make the intelligence more actionable.
Overcoming Common Challenges
Implementing threat intelligence is a thing, but it is not easy. Some problems come with it. For example, threat intelligence can be too much to handle; we do not have skilled people to do the job, it is hard to make all the systems work together, and some people in the organization do not think it is important.
To make things better, experts say we should do the following things:
- Focus on getting good threat intelligence of just a lot of it
- Keep teaching and training the people who analyze the threats so they can get better at their jobs
- Use machines to do the tasks that are repeated over and over so that people can focus on the things
- Show the people in charge how threat intelligence can help the business by using numbers and real-life examples
Threat intelligence is very important, and we need to make sure our organization is behind it. We need to have a team and make sure everyone knows how important security is. This way, we can make decisions based on the threat intelligence we have.
The Future of Actionable Threat Intelligence
Technologies and methods in emerging fields are continually altering the overall landscape of threat intelligence. As AI and ML grow as tools to sift through large amounts of threat data, find patterns in this data, and predict what an attacker will do next, organizations can utilize automation to quickly process and scale their analysis capabilities. However, there is still a critical need for human judgment when it comes to making sense of the nuances and context that determine how effective intelligence really is. The growing use of OT by IT departments, the increasing adoption of cloud-based solutions, and the increased number of targeted attacks against supply chains all contribute to a broader range of potential threats with varying degrees of difficulty and complexity. Thus, organizations must be able to evolve their intelligence programs to respond to these changing threats while maintaining actionable threat intelligence as the central component of their cybersecurity strategy.
Conclusion
Actionable Threat Intelligence (ATI) is one of the most valuable weapons available for today’s Cybersecurity Professional. With a focus on relevancy, contextualization, and actionable guidance, organizations are able to take unprocessed “threat” data and turn it into actual insight that drives both proactive and effective defensive actions. Organizations looking to build an effective ATI Program need to have access to Advanced Technologies, Skilled Personnel, Robust Processes, and a collaborative mindset. The organization(s) that develop actionable intelligence from threats will be better positioned to defend their assets, reputation, and customer base as the threats continue to evolve within the rapidly changing digital world.