Threat intelligence enables organizations to fight back against looming cyber threats, it is the practice of collecting, processing and analyzing data in the hope of understanding a threat actor's motives, targets and attack behaviors. It is relatively easy to convey the importance of threat intelligence and how it benefits an organization, but the process of converting raw data into intelligence is much more complex. For instance, raw data collected through the use of tools and automation doesn’t equate to intelligence, only once this data has been collected, processed and analysed can it be used as actionable intelligence. This process is cyclical, as new questions and gaps in knowledge are identified, steps in the cycle may have to be revisited. The most effective threat intelligence procedures are iterative and improved and perfected over time.
Below is an outline of the six key stages in the cycle:
This stage involves planning out the goals, objectives and methodology for the process of collecting threat intelligence based on the requirements of key stakeholders involved. During this stage security teams may set out to explore who the attackers are, their respective motivations, what the possible attack surface may look like and what measures need to be taken to improve defenses against a potential attack.
Establishing the goal of threat intelligence is also a crucial aspect of this stage i.e. who will benefit from the intelligence gathered - will it be executive management or a team of analysts? There is no point providing executive management a technical report when they would be better suited to receive a broader overview to inform their decisions.
Having established the requirements of the Threat Intelligence exercise in the planning stage, the team can then set out to collect the data required to satisfy the objectives defined in the first stage. It is important that teams collect data from a wide range of sources including internal and external.
Once stage two is complete and raw data has been collected it then needs to be processed, this involves sorting and organizing it, which may include removing any false positives or redundancies. Essentially evaluating the data’s reliability and relevance before it can be analysed.
After data has been processed, the team during this stage conducts a complete analysis of the data to arrive at answers to the questions created in the planning stage of the life cycle. The main objective of this stage is to convert processed data into the context required for the intended audience i.e. valuable recommendations and action items.
During this fifth stage the threat intelligence team presents their analysis in a report format fit for the intended audience outlined in the planning stage. For example, if the audience is executive management, then the threat intelligence needs to be in a format that can be easily consumed i.e. no technical jargon and concise, to the point.
The final stage of the threat intelligence lifecycle involves getting feedback on the provided report to determine whether improvements need to be made for future threat intelligence activities. Stakeholders may have changes to their priorities or adjustments to how data should be disseminated or presented.
Does your company currently have any form of shared threat intelligence in place? If yes, awesome! If not, our expert team can help audit your systems and processes and establish cyber threat intelligence mechanisms to secure your business.