Every time I think I already wrote the most basic blog post on threat intelligence usage, somebody comes and asks for an even more basic one…
Now, many of you have retweeted this tweet:
“1. Get threat intel 2. ???? 3. Profit!” syndrome seem to plague many organizations.
— Dr. Anton Chuvakin (@anton_chuvakin) June 21, 2016
Let’s explore this a bit – what questions do you need to answer before you get your first threat intel data source(s)? These ones, IMHO [feel free to add yours in comments, BTW!]:
- What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
- Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
- How do I pick the best one(s) for me?
- Where do I put it, into what tool?
- How do I actually make sure it will be useful in that tool?
- What has to happen with the intelligence data in that tool, what correlation and analysis?
- What specifically do I match TI against, which logs, traffic, alerts?
- What you have to do with the results of such matching? Who will see them? How fast?
- How to I assure that the results of matching are legitimate and useful?
- What do I do with false or non-actionable matches?
- How do I use intel to validate alerts producted by other tools?
- Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?
Got any more?
P.S. This post is for this security ops maturity level:
P.P.S. I wish more TI vendors would help clients use their intel “products.”
Blog posts related to threat intelligence:
- How a Lower Maturity Security Organization Can Use Threat Intel?
- Threat Intelligence and Operational Agility
- My Threat Intelligence and Threat Assessment Research Papers Publish
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
For motivations, I suggest including something along the lines of what business risk I am hoping threat intelligence will address? This will be very important when it comes to gaining and retaining budget. How can you then map from those business risks down the stack to operational needs? For the what is my 1st source, I suggest that one of the first, if not the first threat intel source should be your own environment. It is tough to get more relevant than the actual intrusions occurring within your enterprise. Don’t neglect internal sources by just focusing on external OSINT and commercial sources.