"The words “threat intelligence” sound high-level, like an issue that might only concern the Department of Homeland Security or the security teams at Google or Amazon.
In truth, anyone who connects to the internet or saves data in the cloud or on a hard drive should give threat intelligence some thought. Small businesses, in particular, need to understand the concept to make sure that, in their efforts to prevent cyberattacks, they adequately protect their assets without bankrupting themselves through overkill." - Patricia Staino
The 6 steps of the threat intelligence lifecycle
The threat intelligence process is well-defined and complex. As you’ll see as you read through the steps, collecting and leveraging threat intelligence is a challenging endeavor and probably out of reach for most small business owners.
If your data and systems do require this level of threat protection, it’s probably best to contract with outside security providers rather than hiring a security team to monitor, prioritize, and resolve threats and breaches.
In the direction phase, you decide where to focus security efforts and how you will do it. Essentially, you’re setting the goals for your threat intelligence initiative. This includes which assets and processes you need to protect, the impact on your business if those assets are compromised, the types of intelligence you need, and, most importantly, where to focus your efforts.
With the growing number of threats, no organization, no matter how small or large, can eradicate every threat. It’s more important to choose the assets you most need to protect (such as sensitive customer financial data or employee records), then focus your time and attention on guarding them.
In this phase, you collect the data about potential threats. This can be done through automated technology or by manual means. There are multiple sources for this stage, including metadata and logs from applications, network infrastructure, and security tools, monitoring human interactions (chat rooms, etc.), reading through threat data feeds, scanning media outlets, and many more.
In technical terms, processing the data means structuring, decryption, language translation, parsing, data reduction, filtering, data correlation, and data aggregation.
In layman’s terms, processing the data means collating it, exporting it, putting it into standardized formats, identifying duplicate information and anomalies, and creating reports that can be understood by stakeholders. This is the point where complex data becomes actionable intelligence.
Processed data is objective, timely, accurate, and actionable, so you can extract intelligence from the collected information.
Analysis is the process of reviewing all data to identify evidence of compromise and determine the actions required. Data analysts use deduction, induction, abduction, and the scientific method to interpret the information and recommend actions to take.
Depending on the information presented, that decision might involve investigating a potential threat, immediately blocking an attack, or taking even more aggressive steps.
The next step is to send the information to the stakeholders who can act on the findings. This is done through threat indicators, security alerts, threat intelligence reports, and tool configuration information.
Strategic threat intelligence is sent to executives to help them plan business strategy around potential risk and compromise. Operational intelligence goes to the security and network managers and practitioners so they can focus on defending your network against specific, known threats.
Tactical intelligence goes to IT services and security operation center (SOC) managers and architects who focus on adversaries’ threat intelligence platforms.
You should regularly solicit feedback from those who receive threat intelligence in your company. Make sure they’re getting the type of information they need and what could be done better. This should be an ongoing process because new threats arise every day, and their needs today may change significantly by tomorrow.
"Small businesses should seek outside assistance or buy security platforms that already provide Threat Intelligence. As outlined above, properly leveraging threat intelligence feeds is a cumbersome effort, but one that provides immense value.
We leveraged quality threat intelligence to prevent and halt active breaches in critical infrastructure and to save lives in attacks on healthcare. There is an enormous amount of value gained by having proper context and full visibility into a cybercriminal's actions." - Patrick Kelley