Blog post

Baby’s First Threat Intel Usage Questions

By Anton Chuvakin | June 28, 2016 | 1 Comment

threat intelligencesecurity

Every time I think I already wrote the most basic blog post on threat intelligence usage, somebody comes and asks for an even more basic one…

Now, many of you have retweeted this tweet:

Let’s explore this a bit – what questions do you need to answer before you get your first threat intel data source(s)? These ones, IMHO [feel free to add yours in comments, BTW!]:

  1. What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
  2. Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
  3. How do I pick the best one(s) for me?
  4. Where do I put it, into what tool?
  5. How do I actually make sure it will be useful in that tool?
  6. What has to happen with the intelligence data in that tool, what correlation and analysis?
  7. What specifically do I match TI against, which logs, traffic, alerts?
  8. What you have to do with the results of such matching? Who will see them? How fast?
  9. How to I assure that the results of matching are legitimate and useful?
  10. What do I do with false or non-actionable matches?
  11. How do I use intel to validate alerts producted by other tools?
  12. Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?

Got any more?

P.S. This post is for this security ops maturity level:

sec ops maturity-marker

P.P.S. I wish more TI vendors would help clients use their intel “products.”

Blog posts related to threat intelligence:

Comments are closed

1 Comment

  • Rick Holland says:

    For motivations, I suggest including something along the lines of what business risk I am hoping threat intelligence will address? This will be very important when it comes to gaining and retaining budget. How can you then map from those business risks down the stack to operational needs? For the what is my 1st source, I suggest that one of the first, if not the first threat intel source should be your own environment. It is tough to get more relevant than the actual intrusions occurring within your enterprise. Don’t neglect internal sources by just focusing on external OSINT and commercial sources.