Doing Threat Intel the Hard Way - Part 6: Threat Intelligence Maintenance

This is the sixth and final post in a series on manual IOC management for threat intelligence. See the previous posts:

Part 1: Manual IOC Management
Part 2: Capturing Threat Intelligence
Part 3: Processing Threat Intelligence
Part 4: Operationalizing Threat Intelligence
Part 5: Analyze Threat Intelligence

Threat intelligence Maintenance

Once an analyst has decided on the validity of the threat, the output of that decision must be captured and stored, preferably within the system. If it was determined that an indicator was not a threat, that should be documented accordingly. If instead it was determined to be a threat, additional output could include notes, reports, recommendations or other documentation. It could also include additional information gathered about the indicators themselves. All this information should be easily accessible for future reference.

Indicators must also be maintained over time, meaning that some method of incorporating new information about existing indicators while retaining the previous information is required. Although today an IP may be actively engaged in brute force attacks, next week it might be cleaned up and reimaged. That same IP might be clean for two years before getting compromised again and put into service as a botnet C&C IP. Analysts need to be able to see these changes over time in order to avoid confusion in analysis. Additionally, if integration content, such as SIEM alert rules, is based on categories or other elements that change over time, automated monitoring may fail to detect new threats and may identify threats incorrectly.

Conclusion

Threat intelligence can offer concrete benefits to organizations, making security analysts more efficient and effective, but only if that intelligence has been managed correctly. Poorly managed threat intelligence can lead to incorrect decisions that may have lasting consequences for the business or organization.

I have attempted to lay out the steps necessary to create a manual threat intelligence management process. As you can see, it is a complex undertaking, that may require a significant investment of resources. Some organizations have the necessary resources and skill in-house to develop such a program. Many do not.

Given the level of ongoing effort required, even those capable of building their own may opt for a commercial threat intelligence management platform. It is important that you do an honest assessment of your own organization before starting this kind of project.