Cyberthreat intelligence (CTI) can be a powerful weapon for protecting an organization from cyberattack, enabling teams to understand both the threats they face and the tactics, techniques, and procedures of their adversaries.
Derek Fisher, executive director of product security at JPMorgan Chase & Co, recently wrote in his Securely Built newsletter about how security operations programs can leverage CTI. Experts also weighed in with key insights about CTI's value to SecOps teams.
Here are nine best practices for SecOps teams wanting to leverage CTI to bolster their defenses.
[ See Webinar: Threat Modeling and Supply Chain Security: Why It Matters More Than Ever ]
1. Understand your SecOps environment
To understand the ins and outs of your security ecosystem, start with an inventory of digital and network assets to determine potential targets for adversaries. Consider factors such as industry, business size, and risk tolerance. Knowing your environment will help you create context for your CTI program, Fisher said in his newsletter. You have to establish the why, he said. "How do you know if you even need, or can manage, incoming threat intelligence?"
"By understanding these factors, the organization can determine the types of threats it is most likely to face, and the level of threat intelligence needed to mitigate those risks effectively."
—Derek Fisher
Christopher Cullen, a vulnerability researcher in the CERT division of the Software Engineering Institute at Carnegie Mellon University, said that teams dealing with threat intelligence "need to know what products and third parties their organization uses so they can watch for vulnerabilities and discussions relevant to those vectors."
"People working in threat intel should have excellent awareness of their organization. This means they need to know assets, how they work, what tools they use, and the potential for attack that exists within them. This information can guide their threat intelligence analysis efforts."
—Christopher Cullen
Michael J. Mehlberg, CEO of the security company Dark Sky Technology, said that every organization and every application will face different threats, adding that context allows for a deeper understanding of the specific threats that are relevant to that specific organization or software package.
"With that deeper understanding comes better decision making and prioritized resource allocation. More informed equals better protection strategies."
—Michael J. Mehlberg
Ken Dunham, cyberthreat director in the threat research unit at the security firm Qualys, said context is critical for actionability when it comes to making decisions, "such as how exploitation may take place, how assets may or may not be at risk, and attack surface."
2. Define your goals and objectives for CTI
Fisher wrote that it is important to determine what you want to achieve with CTI. Do you want to improve your incidence response times? Do you want to reduce risks to your organization? Goals can be pegged to performance indicators, such as mean time to detect incidents, mean time to respond, and reduction in incidents, he said.
Dunham said that great CTI programs focus on measurable outcomes, with clear strategic key performance indicators and supporting metrics.
"CTI programs must be specialized for each business unit to meet specific needs, as well as overall business risk needs. For instance, how CTI supports incident response is very different than that of the strategic needs of the board."
—Ken Dunham
Jeff Williams, co-founder and CTO of Contrast Security, said the simplest goal is to understand the broad metrics associated with who is attacking, what attack vectors are being used, and which systems are being targeted.
"This information is extremely useful but just a first step. Later, the details of attacks can be used to focus remediation efforts, as well as design systems that are resilient to real-world attacks, not theoretical models."
—Jeff Williams
3. Identify reliable sources of threat intelligence
Data can be collected from a number of sources, both external and internal. Fisher recommended first looking inward for threat intelligence. "Using internal data for cyberthreat intelligence involves analyzing an organization's own collected data, like network/application logs and incident response, to detect potential security threats," he wrote.
"For instance unusual increases in outbound traffic may indicate data exfiltration. Reviewing how past attacks were handled can also sharpen defenses against future threats. This method offers bespoke insights into an organization's specific vulnerabilities, allowing for more tailored defense strategies. However, relying solely on internal data may limit the scope of threat awareness to previously encountered or known issues."
—Derek Fisher
Other sources of threat intelligence include open-source intelligence — news websites, online forums, blogs, social media platforms, and the dark web — and threat data feeds provided by specialized security firms.
When choosing sources, it can be helpful to think of them as a series of concentric circles, starting with an application or API, then expanding, first to a business unit, company, industry, or sector and then to the world at large, Contrast Security's Williams said. "It's important to understand what's happening across all of these circles. Near the center, the data is specific but can't reveal larger trends. At the edge, the intel is generic but may help predict the big picture."
"Certainly, the source of the data is critical. You want data gathered directly from real-world environments with the highest degree of accuracy possible."
—Jeff Williams
Dark Sky's Mehlberg said that any threat intelligence used should come from credible and reliable sources with expertise in a field and a proven track record of providing accurate and timely information. Because an attacker will always take advantage of the smallest opening, "threat intelligence should be comprehensive, leveraging sources that provide a broad spectrum of information," he said.
4. Use standardized formats and frameworks
Standards and frameworks are important for a number of reasons, but the most practical is that they assist in breaking down the large amount of threat intelligence data that is out there, Carnegie Mellon's Cullen explained. Having a specific set of rules and functions to control data that comes in allows for filtering out noise, which enables defenders to focus on what matters to the organization, its goals, and its current problems.
"Intelligence initiatives tend to focus largely on how much data they can provide rather than the quality, which can result in having too much data and limited actionable information."
—Christopher Cullen
Standards and frameworks create a structured and iterative holistic approach to managing a threat intelligence program, Qualys's Dunham said. "They can help to remove ego and personality, instead focusing on process and baselining of operations to help teams be honest about where they are and where they can prioritize to mature operations," he said.
5. Customize alerts and reporting
Tailor your CTI alerts and reports to the needs of your organization's stakeholders. The intel provided to the stakeholders should contain actionable insights so informed decisions can be made about threats, DarkSky's Mehlberg said.
"Threat data reported should be clear and specific. Nothing vague like 'vulnerability discovered.'"
—Michael J. Mehlberg
A clear and specific alert would be something like this: “You have a contributor in package ABC who is working for a company XYZ that is on a DoD Restricted Entities list, and therefore this package can’t be used on government systems.” That specificity gives stakeholders the ability to take action by either removing the code written by this developer, replacing the package with another package that doesn’t have the issue, or getting a waiver from the authorities that be.
6. Use CTI to prioritize action
CTI provides the ability to know whether there are vulnerabilities that require immediate attention. "One of the biggest challenges for most organizations is understanding where to focus their limited resources while managing the ever-growing backlog of security findings," Fisher wrote.
"While, of course, numbers vary widely, mid-size organizations can have thousands of vulnerabilities in their backlog when you include applications, OS, host, infrastructure, network, and cloud vulnerabilities. Consider that in 2023, over 26,000 vulnerabilities were published. 25% of vulnerabilities were immediately targeted for exploitation. Those numbers should [make] many of us in the cyber space sit up straight."
—Derek Fisher
However, Fisher pointed out that of the vulnerabilities identified, a tiny fraction (under 1%) presents the greatest risk. "What does that tell us?" he asked. "Possibly that we don’t need to drop everything when a new vulnerability comes out. Possibly that we don’t have to manage that full backlog."
Mehlberg said that CTI helps security teams identify which threats are potentially harmful, which vulnerabilities may be exploited next, and how the team should allocate resources to address the critical issues at hand. "It helps security teams identify and focus on threats that pose the most immediate risk to their systems."
Williams said that CTI adds data from real-world probes and attacks to make vulnerability rating and prioritization much more accurate. "Threat intelligence also adds real-world details to vulnerability reports, making them easier to understand and remediate for developers," he said.
7. Choose your CTI tools carefully
Once an organization's CTI needs have been identified, it should deploy appropriate threat intelligence tools and services to gather, analyze, and utilize threat intelligence, Fisher noted.
"The chosen tools should integrate seamlessly with existing security tools, processes, and people while providing actionable intelligence that aligns with the organization's objectives. More importantly, the data exchange needs to be in a common format for ease of ingestion."
—Derek Fisher
Security teams should consider the comprehensiveness of the CTI tool and the data it offers, Mehlberg said. Does it collect vulnerabilities from multiple independent databases? Does it understand when a software component or dependency has malicious code? Does it uncover untrustworthy contributors, legal issues, and maintainability problems? "It should be drop-dead easy to use. Security teams should be able to consume the threat intelligence via any means necessary, be they through a UI or a backend API," Mehlberg said.
Cullen said that choosing CTI tools depends largely on the size of the organization and the context of its service, but heh noted that "tools that allow for granularity and access into the actual postings and discussions of threat actors are very valuable."
"Tools that can also provide pivot points — such as files and other indicators of compromise — for analysis within secure environments can also contribute in the creation of rules or other security measures that can proactively protect an organization."
—Christopher Cullen
Ali Khan, field CISO at ReversingLabs, said one of the biggest gaps in CTI programs involves quality assurance functions. Ensuring the quality of the data is key when you have multiple vendor systems, feeds, and processing layers, he said.
"The best programs go and ensure they have the highest quality of intelligence curated at the top of the funnel as multiple systems and layers can easily have you lose datasets that can drive actionable playbooks."
—Ali Khan
8. Continuously improve and monitor your CTI processes
Fisher said that organizations must adapt their CTI processes according to the changes in the threat landscape and organization. If an organization moves into a new vertical, its CTI needs will change. The organization should regularly review its threat intelligence processes, incorporating feedback from stakeholders and lessons learned from past incidents. This may involve updating tools and technologies, refining analysis methodologies, and enhancing collaboration with external partners and information-sharing networks.
Cybersecurity changes constantly, Cullen noted, and threat actors tend to adapt more quickly than their legitimate counterparts, as seen with the explosion of businesslike ransomware gangs.
"These characteristics speak to the importance of ensuring that threat intelligence programs change and adapt along with the threat actors. This includes rotating sources, cutting data points that aren’t active, and reviewing ways that gathered information is analyzed."
—Christopher Cullen
Williams said CTI is like the network of sources used by police departments to fight crime. "Sources come and go. Technologies come and go. And types of crime rise and fall. You need to constantly monitor your program to ensure that you're getting the best possible intelligence and use it to make strategic moves to counter the bad guys."
9. Achieve cybersecurity awareness and proficiency through training
Fisher wrote that a culture of cybersecurity awareness and proficiency isn’t just for keeping users from clicking on phishing links. "It is also critical for the successful implementation of threat intelligence," he wrote. "Organizations should provide training to their security personnel on threat intelligence methodologies, tools, and best practices, and how it’s used in the organization. This training should be tailored to the roles and responsibilities of different team members, ensuring that they have the knowledge and skills needed to effectively leverage threat intelligence in their daily activities."
Mehlberg said that it’s easy to panic when a threat is exploited that affects your software and company. Training helps keep everyone calm, effective, and directed during a threat event, he said. "Additionally, training helps ensure personnel are skilled in the latest tools and techniques for detecting threats so that they utilize them effectively and — hopefully — prevent those threats from being exploited in the first place."
Qualys's Dunham said the field of CTI is niche and often requires years of experience to master.
"Training coupled with on-the-job mentoring and partnering are critical at developing trust and talent within a CTI team. Training of other business units is also critical so they can understand the roles and responsibilities of CTI, how they are different, and how to speak each other’s languages, bridging gaps across BUs, personalities, and cultures."
—Ken Dunham
Get smart with threat intelligence
Following best practices can help security teams effectively use CTI to boost an organization's security posture and incident response times. Remember that CTI is about making informed decisions and understanding what's most important to your organization.
The use of CTI in the overall management of vulnerabilities, for example, allows for the organization to focus on actionable, exploitable, and looming threats, Fisher explained. However, he warned, "It is not designed to replace generic vulnerability management, but rather enhance and provide focus and priority for already overworked security teams."
Fiscal constraints within an organization often entice leadership to short-change threat intelligence. Mehlberg has a warming for such shortsighted thinking:
"If you haven’t been hacked before, you may feel a sense of invulnerability, thinking, 'It’s not likely to happen to us.' It’s also easy to think that some hacked software will be easy to clean up and ultimately cheaper than spending money on a threat intelligence program. Time and time again, all of these assumptions have proven false, but they persist, nevertheless."
ReversingLabs' Khan said investing in best-of-breed CTI tools is key to organizations seeing a clear benefit.
"You can get leadership on board more easily if you address the value of CTI in terms of how it can best be leveraged, while also being able to note that it will not cause more problems for the security team than it solves because you have invested in quality assurance processes for it as well."
—Ali Khan
Keep learning
- Learn how to do more with your SOAR with our Webinar: Enhance Your SOC With Threat Intelligence Enrichment.
- Get schooled by the lessons of Layer 8: See Dr. Jessica Barker on The Human Elements Driving Cyber Attacks.
- Go deep on e-discovery with our Webinar: Strengthening Malware Defenses in Legal Firms.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.