Targeted Threat Intelligence for Security Operations

Bitdefender Enterprise
Targeted Threat Intelligence for Security Operations

Organizations know that they can no longer settle for the anti-virus programs, intrusion detection systems and traditional incident responses that used to be seen as “enough” online protection. Threat actors are now refining their skills daily, and threat intelligence (TI) is becoming a necessity.

More security experts have been hired to do the work in 2020 than ever. But is it enough? Is threat intelligence really about multitudes of people scanning through the endless feeds of information? More likely, threat intelligence is about evolving with the threat landscape and even rising to the challenge of beating threat actors to the punch. That’s where targeted threat intelligence comes in as the next level of defense.

What is targeted threat intelligence?

Targeted threat intelligence is a proactive solution for organizations who have decided that blindly reacting is no longer enough. As the world moves forward on the digital scene and connectivity between all types of operations is increasingly important, an organization’s data is exposed to even more threats than before. A threat actor may access the data as a potential client (external), as an employee (internal) or as one of the many partners (third party).

There is an obvious gap between generic threat intelligence, which even a beginner level security team member could perform, and targeted threat intelligence, for which you need people with the right knowledge and skills. The people you need in this position should be capable of understanding the context of a threat and the need to shape the information extracted into usable tools to fend off attacks and even prevent them from happening altogether.

This is not in lieu of the automated processes organizations have in place, but rather complements them with the right personnel to disseminate the information and make good use of it. Expert decisions are required in carrying out maintenance work and threat intelligence management operations such as site takedowns (when copies have gone up and they are affecting the organization’s reputation), identifying and prioritizing the analysis of threat actors targeting the industry in your specific geographic area, proactively looking for internal vulnerabilities, and prioritizing the right incident responses.

How to use targeted threat intelligence within an organization

The issue with intelligence, in any industry, is that by itself it is irrelevant. But put into context and then directed toward the correctly set internal targets, it can be priceless. Generic threat intelligence must aggregate all existing and available threat data, extract it, analyze it rapidly, and devise appropriate actions. Ideally, an organization will have sufficient tools and automation surveyed by the right personnel to sort through this information, and only allocate more expensive human resources when atypical action needs to be taken.

To make threat intelligence more effective, before anything, a security team must know its goals. Threat intelligence matching and application efforts may be considered successful based on evaluations of KPIs (key performance indicators) such as below:

  • Number of TP (true positive) alerts generated?
  • Number of TP (true positive) automatically handled, thanks to integration capabilities
  • Number of FP (false positive) and additional low-prio noise generated?
  • Improvements in response times?
  • Count of identified threats?
  • Additional relevant context supplied allowing proper triage and prioritization

These internal goals will give you the insight you need into the type of targeted threat intelligence you should be after.

Approaching threat intelligence management to improve efficiency

Pool all your resources for a strong defense system

An inflow of information from outside your organization is an important part of threat intelligence management, but it’s not enough. Information gathered internally from incident interventions, log files, alerts, and reports are valuable because it reveals the vulnerabilities threat actors have discovered, the access points others may seek to use to breach your system, and the related indicators and malware. Start with your Security Intervention Event Management (SIEM) as it has raw event data.

Alerting and blocking have been optimized, as well as security planning, with improved resource allocation thanks to automation based on context.

A focused approach of threat intelligence, namely a targeted way of operating, implies combining internal and external information, along with your organization’s established goals, to filter the information. Therefore, you can learn from past attacks, study the threat actor, and find out as much as possible about their motives, goals, objectives, methodology, etc. This information is available in well-structured formats like the MITRE ATT&CK Framework. Once you have all this information, the threat actor’s next moves may become predictable. Cybercriminals rely heavily on the element of surprise, however for economic and scaling reasons they do reuse some of their infrastructure, tooling and TTPs.

Choose the right data sources

Data sources are important because not all data is equally valuable. You get targeted threat intelligence only from curated data, from reliable, constantly updated sources. The good news: when you’re an organization supported by a team of experienced security experts, you can afford to invest in the filtering of this information to gain more relevant insights, faster.

When it comes to sources, here is what you should look for:

  • Maximum coverage with minimum redundancy. Some overlapping of information is fine if it’s not too much, but coverage gaps should be minimized. This means still accepting some unknown and vulnerabilities for yourself.
  • Thorough risk assessment: risk profiles help you prioritize your security investments.
  • Due diligence with every organization you partner with for threat intelligence purposes: Ask about data collection strategy, filtering tools, and about how reliable their programs are.

Threat intelligence is a necessity for all organizations, but it’s not a one-size fits all type of deal. It is one of the most customizable solutions and it has a lot of moving parts. Going into it, you must thoroughly understand your company’s needs and real risks – some you will only discover after your threat intelligence solution is in effect, along with your organization’s real level of exposure. You need to consider the level of maturity of your SOC team, as well as budget restrictions.

Learn more about Bitdefender's Advanced Threat Intelligence solution.

 

Contact an expert

tags


Author


Bitdefender Enterprise

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.

View all posts

You might also like

Bookmarks


loader