Every time I think I already wrote the most basic blog post on threat intelligence usage, somebody comes and asks for an even more basic one…
Now, many of you have retweeted this tweet:
“1. Get threat intel 2. ???? 3. Profit!” syndrome seem to plague many organizations.
— Dr. Anton Chuvakin (@anton_chuvakin) June 21, 2016
Let’s explore this a bit – what questions do you need to answer before you get your first threat intel data source(s)? These ones, IMHO [feel free to add yours in comments, BTW!]:
- What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
- Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
- How do I pick the best one(s) for me?
- Where do I put it, into what tool?
- How do I actually make sure it will be useful in that tool?
- What has to happen with the intelligence data in that tool, what correlation and analysis?
- What specifically do I match TI against, which logs, traffic, alerts?
- What you have to do with the results of such matching? Who will see them? How fast?
- How to I assure that the results of matching are legitimate and useful?
- What do I do with false or non-actionable matches?
- How do I use intel to validate alerts producted by other tools?
- Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?
Got any more?
P.S. This post is for this security ops maturity level:
P.P.S. I wish more TI vendors would help clients use their intel “products.”
Blog posts related to threat intelligence:
- How a Lower Maturity Security Organization Can Use Threat Intel?
- Threat Intelligence and Operational Agility
- My Threat Intelligence and Threat Assessment Research Papers Publish
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.