Security pros use cyber threat intelligence (CTI) in a variety of ways, including to support and augment incident response (IR). During a cyber incident, IR teams use indicators of compromise and detections to determine response actions. CTI can enrich and offer context on these indicators and alerts by giving information that’s timely, relevant and actionable – saving responders time and helping direct the investigation.
However, as with any security tool, to unlock the potential of CTI in IR playbooks, responses and actions, security teams have to use it in the right way. With this in mind, here are five recommendations for building an IR strategy with CTI at the center.
- Don’t think of CTI as a “set it and forget it” tool: Simply plugging CTI into IR processes won’t solve anything. CTI should enrich the information the team already knows. But, if the team doesn’t have an understanding of its business, IT environments, what’s normal and what’s not, then CTI won’t help – no matter how much or what kind comes in. To get value out of CTI, first baseline the environment to understand the business, how different departments operate and how normal traffic patterns flow. Only once the team has a deep understanding of normal business behavior can it detect abnormal activity and use CTI to enrich indicators of compromise to take action.
- Stay adaptable: IR playbooks are designed to help security teams document repeatable processes that they can consistently execute on in the face of cyber threat incidents. But, it’s impossible for companies to plan for every single threat vector or type of situation that could happen. Because of this, think of IR playbooks as a helpful guide rather than absolute authority, and IR teams need to adapt quickly based on incoming CTI. Response teams that are so rigid with playbooks and think they have to follow steps a, b, c, d, and e, can actually become ineffective. To avoid this, focus on building uniformity of work while fostering independence of analysis. This means building structure around IR processes, but giving agency to the responder to react organically to the situation, the CTI coming in and threat actor behavior.
- Incorporate risk into CTI: Incorporating risk into CTI makes it relevant to security teams. Without it, security teams would have no way to filter through intelligence reports to determine what’s applicable to them. Understanding factors such as the environment, the vertical the company operates in, the systems the team runs and the assets in need of protection all help incident responders sift through volumes of data to recognize what will be beneficial to their organization. From there, they can use the relevant information to make educated decisions about response strategies.
- Determine the organization’s appetite for risk: Just like companies weigh the risks of financial activities and investments, so, too, must they determine their appetite for risk around cyber threats. This includes identifying which risks to eliminate, mitigate and tolerate – and this information factors into what CTI is relevant and how the organization responds to an incident. If the team can’t mitigate a risk and has to accept it (a software vulnerability, for example), it must laser-in on getting the right CTI, tools and processes in place to provide real-time accurate detection – because the quicker the team can identify a threat, the faster it can stop it and the less damage it can do.
- Be patient: Just as Rome wasn’t built in a day, neither will a CTI strategy. A lot of CTI research exists in a vacuum, failing to reflect real-world capabilities for companies. This can leave security teams feeling overwhelmed because they don’t even know how to start filtering out information that’s relevant for their business. However, taking the time to understand the company’s baseline behavior and risk appetite can help carve out a strategy for finding and extracting relevant data that can secure the business. CTI offers a potentially significant return-on-investment, but it won’t come instantaneously. Getting the value the company wants will take time and internal reflection.
A lot of threat actors go back to the same tried-and-true methodologies because they work, and this means there’s documented intelligence on their tactics, techniques, and procedures. Because of this, CTI offers value in IR – but we need to use it the right way. By following this five-point plan, security teams can put CTI to work for the business, use it to augment IR and keep their organization secure and resilient.
Curtis Fechner, engineering fellow, threat management, Optiv
