Posted on Jan 11, 2021
In any adversarial engagement, whether military, business, sport, or information security, it’s essential to identify opponents and their objectives, and to evaluate their methods, strengths, and weaknesses. The same rule applies to cybersecurity professionals, who need to spot malicious actors, understand their techniques, and predict adverse events.
With digital attack surfaces increasing in both size and complexity, it’s more important than ever for security teams to direct their efforts and resources toward the issues that have the greatest impact on their security posture. Using well-curated threat intelligence, security teams can take proactive steps to reduce the number of security incidents that occur, and gain a better understanding of emerging threats and cyber risk trends.
Because new threats and security gaps continually arise over time, the process of creating actionable threat intelligence is an ongoing lifecycle, consisting of the six stages outlined below.
The threat intelligence lifecycle begins with establishing and prioritizing which assets and business processes need to be protected, and understanding the consequences of their becoming compromised. During this stage, which is often guided by the Chief Information Security Officer (CISO), security teams must also determine what information they need to meet their goals and address the specific challenges they face.
To do so effectively, the right questions need to be asked:
Once critical assets requiring protection have been established, data types and sources of information on what poses a threat to those assets must be identified. In addition to commonly collected forms of threat data, ie. malicious IP’s and domains, vulnerability data such as personally identifiable information (PII) and information from news and social media sources can be considered.
The raw data needed to address the requirements outlined in stage one can be sourced from a variety of both internal and external sources:
Following collection, raw threat data needs to be organized and cleansed to eliminate false positives and redundancies, and to be translated into a usable format. Data processing can also include decryption, sorting by accuracy and relevance, and translation from foreign languages.
Even organizations with smaller digital footprints collect far too much data—hundreds of thousands of indicators on a daily basis—for humans to manually process, making automation particularly important to this time-consuming phase of the intelligence lifecycle.
The main objective of this stage is to identify potential security issues and develop actionable insights based on the needs outlined in the direction phase. Data is packaged into reports and assessments to be consumed by decision makers. Often taking the form of Powerpoint presentations, memos, threat lists, or live feeds, threat intelligence is curated to inform decisions such as whether or not to examine a potential threat, bolster security controls, or adjust the deployment of resources. Analysis is where, through contextualization, information becomes intelligence.
Most organizations have numerous teams that rely on cyber threat intelligence to manage enterprise risk. The specific operational needs and level of expertise of each team need to be considered when determining the most understandable and actionable means of relaying intelligence. While security teams tend to be most concerned with technical information such as malware findings and high-risk IP addresses, executive teams want to understand how cyber threats impact business risk, liability, and profit.
Tools like security ratings platforms deliver information in a format, and on a timeline that suits multiple end users. Technical teams can access up-to-the-minute data feeds to help carry out their day-to-day tasks, while security leaders can pull high-level board summary reports in moments for periodic meetings with the board of directors.
This phase is closely related to the initial direction phase, as it gives end users an opportunity to guide the following intelligence cycle. Ongoing feedback from all teams ensures that their intelligence needs are being met, and allows security leaders to make adjustments in response to shifting priorities. Periodic team surveys should be supplemented with an ongoing channel of communication via internal collaboration platforms. The goal is to constantly refine the intelligence gathering process, so that relevant and accurate information can be delivered to those who need it as quickly as possible.
SecurityScorecard gives organizations access to the world’s most comprehensive source of cybersecurity data. Our proprietary search engine non-intrusively gathers and analyzes a wide range of threat signals from a battery of honeypots and sinkholes, as well as over 1.3 million companies and millions of public-facing assets. With advanced machine learning algorithms, we reliably predict risk via optimally-tuned factor weights that let you know which vulnerabilities are most critical, precisely attribute our findings, and calculate a meaningful, universally-understood A-F Security Rating.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.