When you hear the term “Threat Intelligence,” it’s easy to have preconceived notions of what it means. Or, since it’s become security’s latest buzzword, to wonder if everyone talking about it means the same thing. Threat intelligence plays an integral role in the growing shift away from traditional event-driven security to intelligence-led security to address today’s evolving threat landscape, so it’s important to understand the key capabilities that security intelligence needs to deliver.
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” True threat intelligence must be more than just informational. Security professionals today are overrun with information —security alerts, log files, etc.—so much so that we have multiple technologies whose main purpose is to help make sense of all this information. Threat Intelligence, in very practical terms, is:
One other comment before I dive into each of those and why they are important: I like that Gartner’s definition does not include intent. Why? Intent implies that the “menace” is trying to target you. While we know this may sometimes be the case, more often it’s not, and the reality is that pretty much any piece of malware out there will damage unintended targets. For example, Stuxnet targeted Iranian nuclear enrichment facilities, but it ultimately escaped the purported air-gapped system and has been seen in at least 10 other countries. From a threat intelligence perspective, intent doesn’t matter: if the threat is on your network, it’s on your network.
Let’s take a look at the three key components that true threat intelligence must have.
Threat Intelligence Must Be Tactical: So threat intelligence really needs to be about threats from the outside world that are directly relevant to my organization, along with all the details about those threats. Okay, I can buy that. But once I am able to actually get this information, what do I do with it? As mentioned earlier, there is simply too much information for any one person or team to consume. It needs to be delivered in a format that can be automatically consumed and acted upon by the sentries - the firewalls, advanced malware protection, email security, web gateway, and intrusion prevention system—you have deployed to protect your organization. If you can’t make these technologies smarter, so that they can learn what adversaries are doing and take action, then it’s not really intelligence.
Threat Intelligence Must Be Contextual: Context really comes down to more than just a WHOIS function. It has to include relevance. If you operate in the financial services segment, then you need the most up-to-date information on threats that are targeting your sector and not necessarily those targeting mining operations in South Africa. Some standards out there, including STIX and CybOX, are really trying to make this a reality and consistently structure data across disparate security technologies so that the data can be more easily correlated to ensure the most relevant information is delivered. If you’ve never heard of these, be sure to check them out.
Threat Intelligence Must Be Automated: This may seem like a no brainer, but sometimes you have to state the obvious. Threat intelligence must continuously feed into your environment to ensure its effectiveness, and you shouldn’t have to press a button to fetch it. Automated doesn’t necessarily mean that it’s turn-key and fully integrated and continuous doesn’t have to mean every second, but it must be automated to support the sharing of content between trusted entities for faster collaboration and decision making. Something as simple as an API that can allow communication to and from a device may be all you need.
Extending this “global” threat intelligence, local intelligence is also needed and provides additional context and information. Based on correlations and analysis of data across your infrastructure, local intelligence makes your sentries even smarter so that they can take more informed security actions specific to your existing environment.
The goal for any organization should be to reduce both Time To Detection and Time to Remediation. To achieve this, intelligence must be shared and span the extended network and new, connected devices – empowering security technologies and security services teams with intelligence that is actionable and specific to the organization.
Enterprise Strategy Group recently wrote a paper on building an active, intelligent security architecture. It discusses the various components that you need, including forensic tools—which so often get left out of the equation until an attack happens! For more information on malware analysis and threat intelligence and to see how others are using threat intelligence to improve their business operations, visit the Cisco website to learn more about AMP Threat Grid.