Tech News

How to Make Threat Intelligence Actionable

Cyber analysts optimize dollars spent on defensive activity to combat an actively changing threat landscape by utilizing threat intelligence platforms. Threat Intelligence is a way of categorizing attack vectors based on available data points such as malware hashes, known malicious IP addresses, and known malicious URL. However, detection of a particular attack vector is only half of the battle. If a team cannot determine how to best respond to an attack, then the detection provides little value. As threat intelligence changes from a luxury to a necessity of cyber defense, the question arises, “How does an organization change threat information from simply a list of attacks to an actionable defense strategy?”

Identifying Attack Patterns

Many organizations use an internal Security Information Event Manager (SIEM) as their threat intelligence platform. From this centralized database, analysts attempt to index, extract, and query data in order to take action on alerts. Examining the information in the SIEM may provide additional metadata on an attack. For example, instead of simply identifying the type of attack, threat intelligence gathered may help to identify the path of infection and chokepoints that failed to detect the malware. It can also help identify paths for the attack to spread within the network. Building and maintaining a history of incidents is the first step for an organization to begin to make intelligence actionable by identifying similarities between attack patterns.

Improving Organization’s Security Through Data

External threat intelligence can also be gathered from data subscriptions or feed such as Open Source Intelligence (OSINT), relationships with government and law enforcement, and crowdsourced platforms. Various mechanisms for delivery include email, subscriptions in JSON or CSV format, API based scripts, or public reports from a threat intelligence provider.

The organization must take steps to make threat intelligence actionable. This may include incorporating this data into an organization’s security posture. For example, external threat intelligence may be added to a SIEM. Threat intelligence can be used to analyze an organization’s current security posture for gap elimination and general improvements. A large number of disk based attacks might drive an organization to implement a whitelisting solution. Memory based attacks might drive Windows users to add Microsoft EMET to their machines. Internal threat intelligence might identify key areas to protect that were previously not considered to be of note to an adversary.

Threat intelligence may also drive certain investigation and response. An organization will typically have a playbook of the actions to take in response to a particular attack. These activities may be manual in nature or automated, or some combination of the two. Threat intelligence platforms like can guide analysts on which systems to examine, the type of malware to look for, and methods utilized by an attacker to pivot or maintain persistence.

Using Analytics

Finally, analysts may make threat intelligence actionable by using analytics to help predict future activity. Trends can drive Tactics Techniques, and Procedures (TTP). For example, the trend of a heavier use of PowerShell might allow analysts and system administrators to bolster their Windows platforms by upgrading to PowerShell 5 or enabling script block logging.