Threat intelligence
Threat intelligence, also known as cyber threat intelligence (CTI), is information gathered from a range of sources about current or potential attacks against your organization. Using tools like Splunk Enterprise Security and Splunk Intel Management (Legacy), you analyze, refine, and organize information, and then use it to minimize and mitigate cybersecurity risks.
The main purpose of threat intelligence is to show you the various risks you face from external threats, such as zero-day threats and advanced persistent threats (APTs). Threat intelligence includes in-depth information and context about specific threats, such as who is attacking, their capabilities and motivation, and indicators of compromise (IOCs). With this information, you can make informed decisions about how to defend against the most damaging attacks.
What are the benefits of effective threat intelligence processes?
In a military, business, or security context, intelligence is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a part of a bigger security intelligence strategy. It includes information related to protecting your organization from external and inside threats, as well as the processes, policies, and tools used to gather and analyze that information.
Threat intelligence provides better insight into the threat landscape and threat actors, along with their latest tactics, techniques, and procedures. It allows you to be proactive in configuring your security controls to detect and prevent advanced attacks and zero-day threats. Many of these adjustments can be automated so that security stays aligned with the latest intelligence in real-time, and integrated threat intelligence helps you stay ahead of advanced threats.
What are threat intelligence best practices?
- Select the right sources of threat data for your organization.
Not all threat intelligence is equal - threat intelligence that is of value to one organization may not be of value to another. Value comes down to relevance and accessibility, which requires curation into a customized enrichment source, aggregating data filtered by a range of factors. Those factors could include industry, geography, your organization's environment and infrastructure, the third parties your organization works with, your organization's risk profile, and more. - Determine who will acquire the data.
While it may be ideal to provide access to threat data to a broad audience, it is probably better to have one team responsible for acquiring and analyzing threat intelligence and only delivering actionable information. Not every stakeholder needs every level of intelligence, so think about how the same report will impact and be used by various teams across the organization. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes, for example modifying strategic policy, launching operational hunting campaigns, or disseminating tactical technical indicators. - Structure the data for analysis.
Threat data comes in a multitude of formats that need to be normalized. These sources can be as diverse as STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules, Snort signatures and more. In addition, the volume of information across the threat intelligence landscape is high and different groups use different names to refer to the same thing. Normalization compensates for this and enables teams to aggregate and organize information quickly. - Use tools to help with analysis.
Effective analysis can be quite a challenge, particularly during a big event. Splunk Enterprise Security does a good job of extracting context and can help your teams use information in various ways for different use cases and to support different outcomes - for example, alert triage, threat hunting, spear phishing, incident response, and more. The Splunk Enterprise Security Threat Intelligence framework helps aggregate, prioritize, and manage a wide variety of threat intelligence feeds.
What threat intelligence processes can I put in place?
Splunk recommends following the Prescriptive Adoption Motion: Threat intelligence. This guide walks you step-by-step through threat intelligence types and data contextualization and enrichment.
These additional resources will help you implement this guidance:
- Getting Started Guide: Overview - Splunk Intelligence Management (TruSTAR)
- Use case: Using threat intelligence in Splunk Enterprise Security
- Use case: Monitoring for indicators of ransomware attacks