Cybersecurity can look like an arms race at times, with new tools and threat intelligence feeds popping up to counter every new attack or piece of malware. At a glance, it seems that there is no limit on the benefits of threat information sharing. A seemingly infinite supply of indicators is great in concept (the more we know the better prepared we are, right?), but the reality is that we only have so much capacity to ingest information. Raw indicators aren't helping us understand context, so we end up ingesting all these indicators with no real idea of what a hit on one tells us. Result: information overload, analyst fatigue, and, at the end of the day, the really meaningful alerts are lost in the noise.
When your threat feeds become more of a distraction than an enabler, the tools intended to protect your business can't do their job. Following up on false positives can send security professionals on a wild goose chase, wasting your team's time and encumbering triage efforts that could better root out what data are indicative of potential incidents that might need addressing. At other times, your team will allocate resources to mitigating threats that wouldn't have had an impact on the company. Over time, too much unsorted intel can derail your security regime, as analysts and tooling are overburdened by unimportant security data.
Instead of reading every report in your threat feed and interpreting all intel as a threat to your business, it's best to develop an organized process for curating the data— selecting sources, reviewing intel, and tagging, organizing, deploying, and monitoring the efficacy of data—so that it aligns with your organizations visibility and helps guide your (security operations center) SOC analysts.
8 Tips for Identifying the Threats in Your Intel Feed
1. Connect your threat model to your business mission. Are the cyber threats you are focused on the ones that present the greatest risk to the company's business mission? This might sound obvious until you realize how much SOC effort is devoted to chasing trivial alerts that don't have much effect on the company.
2. Curate your content to eliminate outdated information. False positives alerting on old threats are an utter distraction and a waste of space in your threat feed. Attack infrastructure changes over time. Today's valid threat indicators may be benign come tomorrow. Organize and regularly review your intel in a way that only relevant and current indicators are ingested into your network security platform.
3. Evaluate returns on intel investment. If a particular intel feed leads to the implementation of specific security controls that block malware or otherwise prevent incidents, then you have data to back up your investment. By then eliminating feeds that don't offer measurable value, you can whittle down a colossal pile of data into a manageable number of relevant alerts and potentially cut costs and demonstrate investment returns to your leadership.
4. Prioritize by protection. When it comes to alerts, some represent threats and others do not. Identify up front your mission critical processes and assets, so you know immediately when your organization is exposed to critical risk, when your analysts have moderate problems to resolve, and when an alert is just noise. Threats should always be categorized based on the risk they pose to your environment and prioritized accordingly.
5. Fill in the bigger picture. If your indicators are divorced from context and your team finds itself chasing indicator hits, they may be missing the forest for the trees. Your team will act more productively if your content is connected to context. By understanding threats in context, you'll know when something is actionable and what kind of action it requires.
6. Empower the CISO with greater visibility. The CISO needs access to (visibility into) IT infrastructure, logs, reports, and other information in order to properly comprehend the state and nature of their attack surface based on data. They then need to apply that data to know where their security gaps exist and what to look for. They can also use this data to realistically gauge their ability to respond to and detect attacks and to request the resources required to resolve weaknesses and defend important assets.
7. Organize your intel based on use-cases. Anything accepted into your intel feed should be aligned with a use-case methodology that tags and monitors threats based on attack type. That kind of use-case-driven SOC organizes your monitoring and detection activities around the most relevant threat signatures, attack patterns, and methods. How would ransomware hit your organization? What would specific attacks look like in your security platform? This kind of analysis can ensure you stay focused on intelligence that is relevant to the organization.
8. Play offense as well as defense. Detection tools are great but security professionals can avoid considerable pain by identifying weaknesses and proactively reducing that attack surface. This plays into the suggestions above about reducing the data volume and focusing on quality intel. Analysts can triage that information, correlate it to vulnerabilities, and guide the organization to prioritized remediation that proactively reduces attack surface.
Your threat intelligence capability is only as good as your data management. By decreasing the total amount of intel and increasing the density of relevant intel, your team will have an easier time translating information into insights, and it will have more time to detect and respond to threats that truly represent the greatest risk to the business.