On June 27, I had the pleasure of participating in an SC Media webcast on building a threat intelligence environment. The host, Stephen Lawton, posed some good questions about challenges and misconceptions around building a threat intelligence program inside an organization.
Since threat intelligence first became a new buzzword in information security some years back, many companies have espoused features friendly to this seemingly new technology. Unfortunately, threat intelligence was not a concept easily understood by typical IT security types. Early players in the threat intelligence space didn’t help the spread of misconceptions by implying that a list of IP addresses or domains was in itself, intelligence. Fortunately, the industry has mostly matured beyond this but some of these misconceptions still persist.
In order to truly get value from threat intelligence, it’s important to start out on the right foot. Understanding what threat intelligence is and isn’t is a fundamental component of knowing how it can benefit an organization. Threat intelligence is not a list of anything. It’s not IP addresses or domains or hashes or URLs. These are just information. Granted, intelligence can be derived from lists, but the lists and the objects in the lists themselves are not intelligence. Intelligence is taking available data (perhaps from lists) and extracting meaning from that data for the purpose of providing insight into decision-making. Threat intelligence is performing this process around threats, either real or perceived.
As I discussed with Stephen in the webinar, since an organization is going to be concerned with threats to itself, it makes sense then that any threat intelligence program should start with internally available data that can support intelligence analysis. Mostly this should be attacks observed by that organization. Information from the SOC and incident response efforts are the perfect place to start.
We went on to cover a lot of important ground on how to build a threat intelligence environment. My hope is that it helps those looking to start or expend threat intelligence efforts in their organizations and maybe dispel some common myths along the way.
A recording of the webcast is available here. Slides from our discussion are available upon request.