There is a scene in HBO's adaption of Game of Thrones where a character counsels the king to dismiss the rising power of one of his rivals because "curiosities on the far side of the world" are no threat. A season later, that rival has three dragons and an army under her control.
In my travels and meeting with 400 CISOs a year, I find there is much confusion around threat intelligence. Many that need it do not have the foundational elements and maturity to consume the information to make it actionable. It's critical to know what intelligence is, what kind you need, and how to build the organization to consume it.
Understanding the nature of the threats to your enterprise may not involve swords and dragons, but one mistake can have dire consequences. It is for this reason the words "threat intelligence" have become associated with a growing number of security products and services.
The overuse of this term by vendors has caused its share of confusion in the marketplace. What is certain, however, is that identifying threat intelligence that is relevant to your business and applying it correctly can help you strengthen the security of your IT network.
So, let's start at the beginning and try to define some basics.
For starters, threat intelligence can be divided into three buckets: informational, reactive and predictive.
Informational threat intelligence includes data such as software vulnerabilities and threat indicators black lists of IP addresses associated with criminal activity. It also includes information regarding the 'who' and the 'how' of threat groups what vulnerabilities they are targeting and who they are.
Reactive threat intelligence includes targeted intel such as what adversaries are after and reports that your passwords or intellectual property has made its way online.
The final bucket of threat intelligence is reserved for information that can be used to forecast malicious activity such as online posts discussing upcoming attacks and what types of intellectual property may be targeted.
The data filling these buckets can come from a variety of sources. For example, industry groups such as the National Health Information Sharing and Analysis Center (NH-ISAC) can be good sources of information about cybersecurity issues affecting in the healthcare field. Information about attacks or groups targeting specific types of organizations also can be purchased from commercial vendors or gleaned from publicly accessible data feeds.
Some of the most critical information, however, comes from within your enterprise.
Without knowing what constitutes normal user activity, spotting anomalous behavior becomes impossible. Local sources for threat intelligence can come from data gleaned during the investigation into an incident. Useful information can be found in your organization's data monitoring tools in the aftermath of a breach that could be used to better understand how attackers targeting your company operate. Likewise, any malware caught on the network that can be analyzed to prevent future attacks as well.
Sign up for Computerworld eNewsletters.