After reading the title, your first question might be “what is threat intelligence?” Thankfully, the term is pretty self-explanatory. Like a digital agent, threat intelligence procedures and tools are aimed at gathering relevant information. Whether you are trying to prevent a cyber attack or deal with one that has already occurred, accurate and up-to-date information will always be a must. Let’s talk a little bit more about cyber threat intelligence and how it can help you.
How Does Threat Intelligence Work?
In most cases, threat intelligence programs will make use of machine learning to identify and evaluate suspicious activity. It is important to understand the difference between machine learning and AI because they are not the same thing at all. However, they are related in some ways. While machine learning simply evaluates data and recognizes patterns, an AI is capable of independent thought and/or action. While machine learning is the basis of AI, full-blown artificial intelligence is not necessary for this purpose.
The Three Types Of Threat Intelligence
Like a good spy, your threat intelligence program should not give you irrelevant information. Imagine if you were the leader of the CIA, for instance, and someone came to you with football scores or grocery lists. Needless to say, you would probably begin looking for some better agents. The information that is given should fall into one of these three categories:
Strategic information tends to be broad and encompassing. This information doesn’t tend to focus very much on the details, as it is not necessarily intended for an expert audience. Broad strategic concepts can be understood by anyone, so they are the backbone of any strategic information presentation. This might also be described as “decision-making information” because its primary purpose is to aid in the formulation of an overall counter-strategy.
Tactical information is also aptly named, as it is aimed at understanding the tactics of the enemy. There are a number of major wars that have been won through the use of codebreaking, and that provides us with a good lesson. When you can understand what your adversary is doing, they become much easier to counter. This is often done by analyzing the malware with which the attack was performed.
Operational information is even more specific. It is focused completely on practice rather than theory. For instance, if you take the time to understand the nature of a phishing attack, that would be tactical information. However, if you then start looking at specific examples of known attacks (i.e., specific operations), then you are looking at operational information.
The Threat Intelligence Life Cycle
None of this will be of any benefit unless you can translate it into viable plans. You can gather a lot of raw data in the form of logs, but it needs to be processed into an organized intelligence package. The threat intelligence life cycle is the standard six-step process by which this is done.
1. The Planning Stage
This will probably consist of a meeting with all concerned parties. This would include managers, stakeholders, and any security firms that might have been contracted. When responding to an attack that has already occurred, the top priorities are obvious:
- Figure out the method of attack
- Figure out the origin of the attack (if possible)
- Figure out how to close that security hole and prevent future attacks
When dealing with an attack that has not occurred, the focus should be upon the primary concerns of all involved. Goals might include:
- Identifying all known security “holes”
- Prioritizing all data in tiers of importance/sensitivity
- Designing a cohesive and regular data backup plan
- Implementation of special security measures (sandboxes, honeypots, etc.)
2. Evidence Collection
Once the goals and concerns have been made known, it is time to gather the information that is needed. Internal data will include logs, response reports, and other such things. External data might include incident reports, statistics, or technical information of all sorts. If you already installed network security monitoring software, it will definitely earn its keep here.
3. Processing The Evidence
At this stage, the evidence collected in step two will be processed into a cohesive and readable form. For instance, if you have any foreign-language sources, they will have to be translated. You will also want to categorize your information for easier perusing and sort everything in terms of importance. The various network logs collected from your network security monitoring tools might be quite expansive, so you might want to use an automated SIEM program to save some time.
This is the simplest step, but not necessarily the easiest. Here, you will take the processed information and analyze it thoroughly. The key is to take the data and its correlations and use it to create actionable plans. Nobody is interested in hearing all the technical details of the problem…they simply want it to be fixed.
This is the point when you take the processed data, pair it with your plan of action from step four, and present the finished product to the client. At this point, everyone who needs to see the results will have a chance to do so.
Once the report and recommendations have been given to the relevant parties, you should definitely follow up with them before long. They will be able to give you a lot of useful feedback regarding your services and the results that they obtained.
If you would like to learn more about threat intelligence (or if you are simply looking for some good local managed IT services), you can call PCH Technologies at (856) 754-7500. We have guided many of our customers through the threat intelligence process and you will find that our results are second to none