In the second part, we will take the discussion forward from where we left in the first part. Earlier, we have discussed the basics of threat intelligence and its types. In this post, we will discuss various considerations while building a threat intelligence plan.
How to build a threat intelligence program?
For a threat intelligence plan to be effective, it must be focussed on the requirements of an organization along with clearly defined questions which this plan must answer. In addition, the experts who can actually act on the information collected must be hired. They must be supported by the required financial backing and resources. For example, there is no use of collecting hash values if there are no personnel who are capable of using those values on its networks or connected hosts for searching binaries.
After requirements are clearly laid down, the focus should be on the identification of sources from where actionable intelligence can be gathered and analysed to suit the needs.
How not to build a threat intelligence program?
Many threat intelligence programs fail as the decision to have a plan in the very first plan was taken by the top management on basis of peer interaction, online resources, or when a vendor was pitching its products. The said decision was not based on a requirement-driven approach, instead, it was based on perceived need. Or in other words,
We are not familiar with a Threat Intelligence plan and how it can help our business, but we simply know we need it.
Full-fledged or Implied?
The ideal way to approach a threat intelligence program is to put a dedicated team in place with the members working full-time to achieve the objectives along with allocating sufficient budget for hardware and software. This way of operation can be considered as a full-fledged approach.
On the other hand, there are organizations who have been impliedly using threat intelligence effectively but they are not even aware of such events. This approach is generally found in small and medium-sized businesses. The implied existence of threat intelligence can be found with instances such as –
- The internal security team members attend security conferences regularly and modify the security posture on the basis of information gathered during the conference.
- A team member reads about a malware outbreak and immediately makes changes in the organizational security policies with the help of team lead to defend against the outbreak.
Organizations currently having the second approach must encourage their employees as they are taking initiatives without having a dedicated threat intelligence plan. In these organizations, the employees are deciding requirements on the basis of awareness and knowledge about the existing threats, collecting information about the threats and mitigation procedure via social media posts, blogs, white papers, security forums, etc., analysing and acting on the basis of information collected by taking steps such as applying patches and changing firewall rules.
The Principle of Sharing
Whoever said this statement – Sharing is caring – applies in its entirety in the context of threat intelligence programs. When you are building a threat intelligence program from scratch, it is important to take aid from other organizations having well-established programs. Simultaneously, a channel must be established to mutually share threat intelligence so that its benefits are reaped by all the participating organizations.
Sharing threat intelligence can be actually useful for organizations in the same sector as attacks are often targeted at the particular industry at times. The onus also lies on the nation states to support and fund threat intelligence communities so that organizations across the country can be united and the costs incurred by the attackers increases drastically with a minimum return on investment. To ensure that the shared information is not misused, closed groups should be created with each organization nominating trusted personnel to represent itself in the group.