September 12, 2016
Joe Franscella

Best Practices For Threat Intelligence Management

<p>Threat intelligence management is the culmination of a broad scope of practices which are all means to the same end. The objective of threat intelligence management is to get a comprehensive and accurate understanding of active and potential cyber-security events. During your assessment, all manner of traffic and other intel sources should be addressed together.</p><p>Begin with a thorough assessment of assets. Digital assets include your proprietary information, business outlook forecasts, financial information, etc. Are they centrally located or housed on separate servers? If web function and the ability to perform e-commerce is something on which you rely, try and estimate its exact value. Assets critical to your operation will naturally be at the top of the list and prioritized. Other concepts such as credit rating, insurance liability, and consumer confidence should be sized up and included among potential losses.</p><p>Next, perform due diligence to discover weaknesses and liabilities. This refers to actual stopgaps in the network security or disconnects between the server and cloud as well as personnel vulnerabilities. Using a white hat hacker to test your security can be a valuable research exercise. Ethical hacking is a growing industry. Employees or subcontractors affiliated with white-hat organizations will test your network. Some companies will <a href="" target="_blank">pay a from $50 up to $20K for a single flaw</a>. These skilled consultants will test the ports and firewalls, etc. They will also probe for insider threats - weak link employees who inadvertently or overtly compromise your network.</p><p>This knowledge transfer may require information flow models. IT security specialists cannot do their best work if all of the salient <a href="" target="_blank">details about threats are confined to informational “siloes”</a> in other departments such as risk management and human resources. Committees for sharing information about threats must be created with great care.</p><p>Address the human element of threat intelligence management by looking for “analog signals” which forewarn trouble. Using a formal inside threat awareness program requires a task force that includes members of HR, legal, physical security. Insiders can inadvertently invite trouble if they fail to perform due diligence. An employee who routinely falls for phishing is a potential disaster that should be communicated. Early signs of an inside threat may require communication among departments which do not typically share info about employees. Train management to recognize the signs of a mole or employee disgruntled enough to create a threat upon hiring and throughout employment. A malicious insider may be identified in time if you look out for these such conditions or behaviors:</p><ul><li>Was demoted, passed over, disciplined, or otherwise “slighted”</li><li>Is experiencing financial troubles</li><li>Has been disruptive or exhibited anti-establishment views</li><li>Is underperforming</li><li>Requests access to sensitive or important files</li><li>Approaches others to share credentials</li></ul><p>Social media isn’t just “a PR thing” when it comes to risk management. Personal and social networks can be both a great research tool and a giant blind spot. A target attack may begin with the hacker researching company or employees’ social media. Social engineering schemes work best with specific details which can be lifted from profiles and posts. Sites which share company structure or upcoming events can inform phishing attempts. Hackers who need to enlist an insider to their cause watch for signs of malice or discontent.</p><p>Further, prevent insider jobs by limiting network access to only files identified as relevant to job duties. Login credentials should be monitored closely. Upon termination, the exit process should include revocation of access to email, VPN, Cloud servers, social accounts, etc.</p><p>The sources of malicious traffic can be custom defined. Start with general SIEM and firewall as a basis to complement threat intelligence. <a href="">Intelligence feeds must be well informed</a> in the context of probably external threats. The platform configuration should be strategized using the aforementioned research.</p><p>Plan for the inevitable, a successful hack. It has been deemed unrealistic to say that you will never experience any breaches. Threats and vulnerabilities are constantly evolving, and with these fluxes will come gaps in your defenses. Have a solid recovery strategy for both the network itself and the people affected. Identify ahead of time who will be the point-persons, and how will they respond.</p><p>Form solid backup policies that will reduce down time. Assemble ahead of time a crisis team that includes IT security, physical security, and public relations. In cases of an insider threat, human resources may need to be involved. In scenarios where other parties are harmed, the legal team will be called upon.</p><p>Comprehensive threat intelligence management requires you consider the sources thoroughly. If you’ve never taken a top-down approach to including threat intelligence in your whole organization, do not be overwhelmed. There are lots of <a href="{page_1864}">informative resources to guide your cyber-security</a> efforts.</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-bd3e320b-6f5f-47ad-ae30-589597d266a4"><span class="hs-cta-node hs-cta-bd3e320b-6f5f-47ad-ae30-589597d266a4" data-hs-drop="true" id="hs-cta-bd3e320b-6f5f-47ad-ae30-589597d266a4" style="visibility: visible; display: block; text-align: center;"><a class="cta_button " cta_dest_link="{page_3457}" href="" id="cta_button_458120_bfe9d714-b9a1-4733-8b89-44b169eb6a53" style="margin: 20px auto;" target="_blank" title="Download Here">Download Here </a> </span> <script charset="utf-8" src=""></script> <script type="text/javascript">hbspt.cta.load(458120, 'bd3e320b-6f5f-47ad-ae30-589597d266a4', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.