Four Features to Look for in a Threat Intelligence Service

Introduction
Although threat intelligence platforms have been used for years by elite threat research teams at cybersecurity solutions vendors and consulting firms, they have only recently become commercially available as services. This article offers some advice on selecting a service that fits your enterprise, and specifies four features that you should seek out.

A Source of Enhanced Threat Intelligence
Security groups today can choose from many open source and commercial threat data feeds. Unfortunately, many of the indicators they supply are trivial, or represent threats that are serious for some enterprises but can safely be ignored by others. The massive flow of these indicators can generate alerts that distract attention from real targeted attacks on the enterprise.

Look for a threat intelligence service that supplies not just threat indicators, but also extensive context and malware analysis. This should include extensive background on threat actors and attack methods linked to specific indicators and threat artifacts. It should also include tags that help security teams identify the indicators and threat artifacts relevant to their enterprise. For example, tags might flag the fact that a file is typically used to target energy companies, or POS systems, or victims in German-speaking countries.

Ask about the sources of this intelligence. Is there a leading threat intelligence research group to produce the information? Does the service utilize a leading-edge dynamic analysis (“sandboxing”) tool to document the behavior of malicious files?

The Ability to Customize and Prioritize Alerts
Most security teams have resources to investigate only a small fraction of the alerts they receive from security information and event management (SIEM) and other monitoring systems. That makes it imperative that you be able to prioritize alerts effectively.

A threat intelligence service should be able to flag alerts for you based on your business and your technology infrastructure. It should also allow you to create customized tags and alerts.

The service should include a threat intelligence dashboard that informs you about the malware files and threat indicators that appear most frequently on your network. If possible, it should also provide visibility into the malware and indicators seen most frequently by others in your industry. The same threat actors targeting them will probably target you too.

Features That “Pivot” From an Indicator and Find Related Artifacts
Many threat indicators are harmless if they are isolated events, but dangerous if they are part of a complex targeted attack. A threat intelligence service should include a portal that allows you to start with an initial indicator and then “pivot” to find related indicators and artifacts and assess the scope of an attack.

For example, if you detect a file containing malware, the threat intelligence portal should give you tools to search for other instances of that file hitting your network, of instances of similar but not identical malware in the same family, and of other artifacts associated with the same threat campaign. The portal should provide you with information on the actions the file attempts to take when it executes, such as connecting to a remote server or creating certain registry entries on a system, so you can look for those events on your network. If you detect a session connecting your network with a server on the Internet, you should be able to determine if that server is associated with spammers, cybercriminals, hacktivists or other threat actors.

These capabilities will help you identify real attacks faster and mitigate their effects more fully.

The Ability to Create New Protections and Prevent Future Attacks
Most people think of threat intelligence services in terms of prioritizing and analyzing threats. But capabilities to create new protections and prevent future attacks can also pay major dividends.

When you discover new types of malware and new threat artifacts, you should be able to create custom tags and to share the tags and artifacts with other enterprises. That will allow you to identify relevant threat indicators as soon as they hit your network.

It is also very valuable if your threat intelligence service allows you to export signatures and artifacts to enforcement points like firewalls, and to monitoring systems like security information and event management (SIEM) systems. If that capability is automated, your defenses can be updated as soon as an attack is discovered, which minimizes the time the attacker has to find and exfiltrate confidential data.

In related articles we: