Threat intelligence, also known as cyber threat intelligence (CTI), is information gathered from a range of sources about current or potential attacks against your organization. Using tools like Splunk Enterprise Security, Splunk Threat Intelligence Management, and Splunk Intel Management (Legacy), you analyze, refine, and organize information, and then use it to minimize and mitigate cybersecurity risks.
The main purpose of threat intelligence is to show you the various risks you face from external threats, such as zero-day threats and advanced persistent threats (APTs). Threat intelligence includes in-depth information and context about specific threats, such as who is attacking, their capabilities and motivation, and indicators of compromise (IOCs). With this information, you can make informed decisions about how to defend against the most damaging attacks.
What are the benefits of effective threat intelligence processes?
In a military, business, or security context, intelligence is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a part of a bigger security intelligence strategy. It includes information related to protecting your organization from external and inside threats, as well as the processes, policies, and tools used to gather and analyze that information.
Threat intelligence provides better insight into the threat landscape and threat actors, along with their latest tactics, techniques, and procedures. It allows you to be proactive in configuring your security controls to detect and prevent advanced attacks and zero-day threats. Many of these adjustments can be automated so that security stays aligned with the latest intelligence in real-time, and integrated threat intelligence helps you stay ahead of advanced threats.
What are threat intelligence best practices?
- Select the right sources of threat data for your organization.
Not all threat intelligence is equal - threat intelligence that is of value to one organization may not be of value to another. Value comes down to relevance and accessibility, which requires curation into a customized enrichment source, aggregating data filtered by a range of factors. Those factors could include industry, geography, your organization's environment and infrastructure, the third parties your organization works with, your organization's risk profile, and more.
- Determine who will acquire the data.
While it may be ideal to provide access to threat data to a broad audience, it is probably better to have one team responsible for acquiring and analyzing threat intelligence and only delivering actionable information. Not every stakeholder needs every level of intelligence, so think about how the same report will impact and be used by various teams across the organization. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes, for example modifying strategic policy, launching operational hunting campaigns, or disseminating tactical technical indicators.
- Structure the data for analysis.
Threat data comes in a multitude of formats that need to be normalized. These sources can be as diverse as STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules, Snort signatures and more. In addition, the volume of information across the threat intelligence landscape is high and different groups use different names to refer to the same thing. Normalization compensates for this and enables teams to aggregate and organize information quickly.
- Use tools to help with analysis.
Effective analysis can be quite a challenge, particularly during a big event. Splunk Enterprise Security does a good job of extracting context and can help your teams use information in various ways for different use cases and to support different outcomes - for example, alert triage, threat hunting, spear phishing, incident response, and more. The Splunk Enterprise Security Threat Intelligence framework helps aggregate, prioritize, and manage a wide variety of threat intelligence feeds.
What threat intelligence processes can I put in place?
Splunk recommends following the Prescriptive Adoption Motion: Threat intelligence. This guide walks you step-by-step through threat intelligence types and data contextualization and enrichment.
Implement the use cases below to build effective threat intelligence processes in your organization. You can also find help in our Getting Started guidance for Using Threat Intelligence Management.
- Identifying high-value assets and data sources
- Learn how to prepare for attacks that specifically target your organization's high value assets, preventing disruption to business continuity, reputational or regulatory risk.
- Leveraging critical vulnerability insights for effective incident response
- Learn how using Tenable and Splunk Enterprise together enables you to sync IT, OT, and AD vulnerability information, prioritize vulnerability remediation, request a remediation scan, and view the latest vulnerability summary for a machine.
- Monitoring for indicators of ransomware attacks
- Splunk Enterprise Security helps you ingest, monitor, investigate/analyze, and act on security data and insights.
- Prescriptive Adoption Motion - Threat intelligence
- Actionable threat intelligence is an essential function to protect digital infrastructure and assets successfully. It aids the processing and analysis of data from multiple feeds, improving security and visibility.
- Using threat intelligence in Splunk Enterprise Security
- Threat intelligence enables cyber security teams to inform the SOC and incident response teams of potential and impending harmful activities and business risks.