TAXIIing to the Runway

Common challenges in starting a threat intelligence program

Once considered a “nice to have”, threat intelligence is now increasingly seen as an critical part of security programs. In the 2016 Value of Threat Intelligence: Ponemon Study, 78 percent of respondents polled agreed that threat intelligence was essential to a strong security posture. From that same Ponemon Study, 70 percent of respondents also stated that threat intelligence is often too voluminous or complex to provide actionable information. Why then, if threat intelligence is so challenging, are threat intelligence programs still worthwhile for organizations to develop? Regardless of the size or bandwidth of your organization, threat intelligence can provide value through:

  • Improved visibility and situational awareness
  • Increased response efficiency
  • A method to identify malicious activity that other technologies may have missed

With those advantages in mind, we’ll explain some of the key aspects of managing threat intelligence so you can take your threat intelligence program from TAXII to takeoff.

Collecting Information
First and foremost, you’ll need to gather information. Think of this as boarding passengers on a plane- it’s not a particularly useful flight if there isn’t a complete retinue of passengers. The most common way to get these “passengers” is to start collecting data from open source threat intelligence feeds, which provide information on a broad range of topics. It’s important to note though that not all of these feeds will be relevant to your organization, and pulling information from as many as possible might result in too much information. This may seem counterintuitive — more information means better security coverage, right? Unfortunately, having all of this information is no guarantee that it will be usable. Other issues such as duplicate data, lack of context and a high number of false positives further complicate the data collection process. Just as you wouldn’t want duplicate reservations, an overbooked flight, or no-shows, you wouldn’t want incorrect or ultimately useless data. There are some ways to make this data more usable and integrate it into an analyst workflow, such as adding context.

Adding Context
Adding context where there is little or none is perhaps the most important next step in getting your threat intelligence program away from the gate and onto the runway. It’s simple enough to know that a flight needs to takeoff, but you’ll need more information from air traffic control to relay which runway to use or when to leave. Similarly, knowing that an IP is reportedly malicious is beneficial but not as actionable as knowing who or what else that IP is associated with. Luckily, there are numerous free or paid websites available that can provide additional context, such as SHODAN, VirusTotal, Malwr, IPVoid, threatminer, DomainTools, and more. The only drawback to these tools is that using them separately for every piece of data is not particularly efficient. Analysts must spend a significant amount of time copying, pasting and collecting from many different resources. The solution is to find ways to integrate these enhancements to your data in an automated fashion. This can be done with APIs, product integrations, or specific tools designed to aid in this area such as Anomali ThreatStream.

Managing Intelligence
There are also numerous free and open source resources available to help collect and manage gathered intelligence, such as CIF, CRITS, MISP, YETI, STAXX, Cuckoo and the Modern HoneyNet. These tools are highly beneficial in regard to price, community support, plugins and tool integrations. They’re not without their own challenges though — users must self-support and self-maintain these platforms in their environments, integrations and plugins sometimes go dormant or require additional effort to maintain and support, and while they can certainly help manage and curate intelligence, they won’t address all the key challenges in making intelligence data actionable in an environment. Free tools like STAXX are more comprehensive in speeding adoption and increasing value of gathered threat intelligence, although like the other tools mentioned it lacks the features of bigger commercial products. Your mileage may vary depending on your intelligence needs, what you are trying to get out from threat intelligence, and available internal resources you have to provide support and maintenance for these platforms.

Training Analysts
Another important step in getting your threat intelligence program to takeoff is to get your analyst(s), the pilots of threat intelligence programs, up to speed. This can be done via training on threat intelligence principles and involving personnel in daily intelligence generation and analysis. This isn’t to say that you need a full-time analyst on staff straight away (although the same can’t be said for an actual flight). The threat intelligence function may simply be a special function within the SOC or an Incident Response team or it could exist as its own separate function.

Airline analogies aside, starting off a threat intelligence program can be relatively straightforward if you know what resources to use and what potential drawbacks to watch out for. Start by collecting information on observed attacks and add in contextual details where possible. This point can be stated strongly enough. Threat feeds in themselves are not intelligence. Understanding your own environment, the attacks you see, and extrapolating meaning from the data available regarding those attacks is an awesome start to standing up a functional threat intelligence program in your organization. As you add in data from threat intelligence feeds and other sources make sure to curate them for bad data or irrelevant information. Remember also that not everything will be relevant to your organization. Try leveraging tools such as Anomali STAXX to help sort and manage gathered data — it’s free and possesses many capabilities of a commercial Threat Intelligence Platform (TIP), although it lacks the more robust features that are useful for fully operationalizing threat intelligence. Also, be sure to invest in training analysts with books, webinars, online videos, training and more to ensure that they can be as effective as possible. And, to toss one last analogy in, like the safety briefing at the beginning of a flight we hope that this has given you some useful information to advance your threat intelligence program to takeoff.