If you\u2019re concerned about the increased threat of cyberattacks by state-sponsored hackers and hacktivist groups in the current geopolitical atmosphere, you\u2019re certainly justified.\n\nCriminal groups are emerging from the shadows and pledging their allegiance to Russia. They\u2019re conducting reconnaissance attacks and coalescing into the roles they\u2019ll play in the global cyberwar many see on the horizon\u2014one that will likely be coordinated by a central command.\n\nThese real threats are driving intense efforts within security organizations across industries, from critical infrastructure and financial markets to government organizations, supply chain and logistics, and many others. The security organization is realizing that it must become better at identifying and ultimately outmaneuvering adversaries.\n\nAt the CISO level, we\u2019re seeing an unprecedented focus on gathering information about attackers to better understand what\u2019s at risk and how to mitigate threats. Within the CISO\u2019s team, the imperative is to apply a macro view of attacker motivation to the organization\u2019s understanding of their vulnerability to attack, allowing teams to prepare for and detect unknown cyberthreats. \n\nFostering bidirectional communication \n\nIf there\u2019s a silver lining to preparing for imminent of cyberattacks, it\u2019s this: we\u2019re finally starting to achieve the collaborative bidirectional communication between security operations and the threat intelligence team required to quickly detect and respond to attacks.\n\nInstead of the traditional one-way flow of information where the threat intelligence team delivers briefs to the security operations center (SOC) team, we\u2019re seeing teams work together to understand the attacker. The vision of a cyber fusion center is coming to fruition.\n\nDiscussions are happening across roles, from the practitioners discovering threats to the security engineer concerned with controls to the CISO weighing the priorities for remediation. In turn, the informed CISO translates the intelligence the team has gathered into business impacts and communicates those to executives.\n\nBut communication and intelligence alone are not enough to win the battle. You need to be able to analyze this intelligence and act on it quickly. In other words, you need to operationalize it.\n\nOperationalizing intelligence in three steps \n\nWhen CISOs and SOC analysts come to us at Anomali for insight into the adversaries and attacks that they should be prepared for, we help them understand and refine a process for operationalizing intelligence.\n\nHere\u2019s what we\u2019ve seen work effectively in best-in-class security organizations: \n\nThe security organization, including SOC analysts, threat intelligence analysts, and the CISO, work together to define the organization\u2019s defensive security posture and explain it to non-technical executives outside of the CISO\u2019s organization.\n\nAs incidents happen (both internally and externally), teams move quickly to gather intelligence and identify lessons learned. They work to understand the details of the attack, such as the payload, the method used to propagate it, and other adversary behaviors used in advanced persistent threats. With the nuggets of relevant information about the attack, the team extracts lessons learned and feeds them back into their defensive posture. \n\nThe next step is for the red team to emulate the attack within your environment. Similar to war gaming, incident responders then try to identify the attack as it unfolds. Replaying an incident and identifying the details of the techniques being used by an attacker gives teams the insights they need to put the right security controls in place to stop the attack and harden their security posture.\n\nThese steps take place in a continuous loop every time new intelligence comes in.\n\nImproving your defense with automation and AI \n\nThe process I just described to operationalize intelligence is predicated on having access to comprehensive threat intelligence. This includes relevant global threat data, including actor, technique, and indicator intelligence. (For more insight into the importance of relevant threat intelligence, check out "How Can You Identify an Attack and Predict the Next Move? It Takes Relevant Threat Intelligence")\n\nGiven what\u2019s at stake for organizations today, CISOs should also consider investing in tools that automate the collection and management of threat intelligence. Automation accelerates detection and investigation while making it easier for different roles and parts of the organization to collaborate.\n\nAnother critical tool that supports this process is the MITRE ATT&CK framework, which helps organizations apply intelligence to understand attackers\u2019 tactics, techniques, and procedures (TTPs). You can read more about MITRE ATT&CK and how it can help your team in my ATT&CK blog post \u201cLeveraging MITRE ATT&CK: How Your Team Can Adopt This Essential Framework\u201d.\n\nAnd finally, there\u2019s an emerging model for understanding the context and relationships between the sequences of techniques attackers use. Called the Attack Flow project, it\u2019s a data format for describing sequences of adversary behavior that the Center for Threat-Informed Defense is developing in collaboration with cybersecurity leaders. The goal is for the format to become a standard leveraged throughout the industry to support threat intelligence use cases\u2014including the three-step process detailed above. You can learn more about the format and see an example of it built from a public intrusion in \u201cAttack Flow\u2014Beyond Atomic Behaviors.\u201d \n\nWant to learn more about achieving intelligence-driven security operations? I recommend watching the webinar \u201cClimbing the Threat Intelligence Maturity Curve.\u201d\n\nMark Alba\n\nChief Product Officer at Anomali\n\nMark Alba is Chief Product Officer at Anomali, joining the company in April 2020. Mark has over 20 years of experience building, managing and marketing disruptive products and services. Throughout his career, Mark has been on the front lines of innovation, leading product efforts in both start-up and large enterprise organizations including Check Point Technologies, Security Focus, Symantec and Hewlett Packard Enterprise.\n\nHis proven track record includes bringing to market the security industry\u2019s first fully integrated appliance firewall, leading the integration of global threat intelligence into perimeter security technologies and introducing advanced analytics in support of cyber security operations.