As we noted in our first blog discussing Gartner’s recent Market Guide for Security Threat Intelligence Products and Services, organizations tend to underrate their ability to capture and leverage the Threat Intelligence (TI) they create internally today. Leveraging this intelligence is often a great place to start to build a competent internal TI capability.
Much like a good attack strategy, a good TI strategy often involves finding a viable beachhead and expanding from there. The good news is that once a beachhead is established, there are numerous ways to expand expertise and scale operational reach. The use of third-party TI services can be a particularly cost-effective way to enhance existing capabilities whether those capabilities are nascent or more fully formed.
A Typical Beachhead
Internal security teams working with a threat intelligence platform can quickly organize feeds into a single stream of threat intelligence. These feeds are typically correlated with internal telemetry like firewall and DNS logs, to identify potential attacks. This is often done through integration with a security information and event management (SIEM) platform.
Baseline threat intelligence often revolves around identifying, processing and sharing Indicators of Compromise (IoCs), the static pieces of information that identify the properties of a given threat, such as IP addresses, domain names, cryptographical hashes, email addresses, etc. IoCs can be used to reconstruct attacks and to identify threat actors but this can be a labor-intensive process. To reduce this burden, TI needs to continually move toward greater automation, integration and interoperability.
Third party TI services can be especially useful in quickly bringing context to internal and open source TI feeds, thereby accelerating time to resolution. Services should be considered when internal teams are short on a particular expertise, visibility into a specific attack or threat actor, or simply need to surge resources. Threat Intelligence Analyst Augmentation services can bridge numerous intelligence gaps that internal security teams face in the short and long term.
TI Augmentation Services
Organizations might require TI services to augment standard capabilities because their Median time to response (MTTR) for cyber threats needs improvement. Third party services should be used to extend the organizations efforts with specific expertise. For example, domain intelligence, file analysis, compromised credentials, Open Source Intelligence OSINT.
Organizations might need help to handle surge events because they are recovering from attack and resources are spread thin. An organization might just feel newly exposed. For example, it might be enjoying increased market leadership or notoriety, which could lead to more attention from attackers.
Or more generally, an organization’s industry or geographic region might be seeing a spike in cyber activity. Many service providers focus on specific industry trends and threats and have broad visibility into the current threat landscape. They can be effective at identifying emerging threats and adversaries. Finally, third party teams are often viewed as neutral actors, and can be very effective in communicating risks and threats to executives and stakeholders.
Keeping it Timely and Relevant
Internal TI should be augmented as needed to ensure relevant and timely response to all serious threats. Augmented TI can add the context required to determine the who, what, why, when, where, and how of attacks. The answers to these questions are often interrelated and connected. If you know who is attacking your infrastructure, and from where, you will often have a better understanding of their motivation (the why), What is being attacked or is potentially vulnerable as a result of a beachhead being found? This leads to the how, which requires knowledge of an attacker’s tactic, techniques, and procedures (TTPs) and a correlation to existing indicators of compromise (IOCs).
Because of these interrelationships, even small amounts of relevant new information can create a positive, cascading effect on understanding. For this reason, the use of fractional analysts can be a very cost-effective strategy.
To learn more:
Download the Gartner 2020 Market Guide
Read previous blog in this series, “Understanding the Threat Intelligence Market.”