Every time I think I already wrote the most basic blog post on threat intelligence usage, somebody comes and asks for an even more basic one…
Now, many of you have retweeted this tweet:
“1. Get threat intel 2. ???? 3. Profit!” syndrome seem to plague many organizations.
— Dr. Anton Chuvakin (@anton_chuvakin) June 21, 2016
Let’s explore this a bit – what questions do you need to answer before you get your first threat intel data source(s)? These ones, IMHO [feel free to add yours in comments, BTW!]:
- What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
- Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
- How do I pick the best one(s) for me?
- Where do I put it, into what tool?
- How do I actually make sure it will be useful in that tool?
- What has to happen with the intelligence data in that tool, what correlation and analysis?
- What specifically do I match TI against, which logs, traffic, alerts?
- What you have to do with the results of such matching? Who will see them? How fast?
- How to I assure that the results of matching are legitimate and useful?
- What do I do with false or non-actionable matches?
- How do I use intel to validate alerts producted by other tools?
- Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?
Got any more?
P.S. This post is for this security ops maturity level:
P.P.S. I wish more TI vendors would help clients use their intel “products.”
Blog posts related to threat intelligence:
- How a Lower Maturity Security Organization Can Use Threat Intel?
- Threat Intelligence and Operational Agility
- My Threat Intelligence and Threat Assessment Research Papers Publish
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs