Threat Intelligence: implementation

How to implement a Threat Intelligence solution in your company? Here are the 4 key steps to achieve this without any glitches.

Share the post:

Our series on Threat Intelligence (TI) is coming to an end. In the first part, we discovered what Threat Intelligence is and, in the second part we focused on its different approaches, techniques and strategies. In this third and final episode, we explain how to implement it within your entity.

Before embarking on the implementation of a Threat Intelligence solution, a company must ask itself the following questions:

  • What are our critical resources?
  • What kind of security solution have we already invested in and do we plan to invest in more?
  • How will our capabilities and human resources be impacted by the implementation of a Threat Intelligence solution?
  • What types of resources do we want to invest in this project?

With these answers, you will be able to better understand the application of a Threat Intelligence solution that will have to be based on the company’s security policy. But where do you start?

Step 1: Define what Threat Intelligence is for your organization

This is an essential prerequisite. Company context (sector of activity, size…), essential assets to protect… several aspects are to be taken into account in order to identify your company’s needs in terms of Threat Intelligence.

The first step is to define your needs: Who are we? What do we need? What do we want? Once again, by asking yourself the right questions, you will be able to better understand your expectations and choose the most appropriate Threat Intelligence solution. These references will be invaluable throughout the implementation of your IT solution.

After the needs come the objectives. These must be clear and achievable. It will also be necessary to set measurable criteria that will subsequently facilitate the validation of the solution.

Thus, throughout the entire life cycle of the solution, it remains important that the Threat Intelligence team is in contact with the users of the solution, such as the Security Operations Center (SOC) but also the decision-makers, in order to ensure quick action.

Since developing a Threat Intelligence program is a long-term project, it is important to prioritize your objectives: learn about existing solutions and tools and quantify the associated resources, whether human, technical or financial.

2nd step: "passive" data collection

Many sources of Threat Intelligence exist. In order not to end up with large amounts of useless data, it is essential to choose them carefully.

The primary purpose of Threat Intelligence is not to gather as much information as possible, but to focus on the most relevant information related to the needs and objectives defined in step 1. The management of the volume of data collection and their usefulness are therefore key factors to remain effective.

Thus, depending on your Threat Intelligence objectives, you will not collect the same types of data:

  • “simple” protection objective: you will need to build the broadest possible base of compromise indicators (IOC) and automatically couple it with tools that will block recognized attack attempts;
  • Threat Intelligence Objective: You will need to focus on larger threats such as Advanced Persistent Threats (APT) or emerging/moving attacks (such as the Dridex campaign (opens in a new window)or Cryptolocker (opens in a new window)).

The importance of the choice and contextualization of the data collected

The data collected must concern your organization (your sector, your equipment, your location, etc.). Indeed, if a flow contains 90% information about the financial field and you are not positioned in this sector, using it is probably not interesting.

Depending on your resources, be careful with data redundancy. For example, if two feeds have almost identical content, it is better to keep only one.

In addition, the analysis of your internal traffic (also called “SIGINT” for “Signals Intelligence”) will allow you to identify anomalies specific to your activities, so it is important to take them into account.

To get started, focus on data that is already “pre-contextualized”. Once the Threat Intelligence program is well implemented, you can enrich this information with raw information.

Each data should, at a minimum, include a time factor (lifetime) and a confidence index, which will most often be related to its source. This will prevent false positives and provide relevant and usable results.

Data storage and processing

It is possible to store the collected data in spreadsheets, transmit the information via email to the concerned parties, or inject it directly into your Security Information and Event Management (SIEM). At this stage, it is often only unformatted data.

Quite quickly, the amount of data will become too large to be managed in this way and analysts may become overwhelmed. In the best case scenario, emails and spreadsheets will no longer be consulted, but the greatest risk is to make the SIEM unusable and complicate the work of the security teams. Indeed, too much non-contextualized information in a SIEM will generate many false positives that will prevent the detection of real problems.

If collecting a large amount of data from different sources is required to produce IT, human analysts do not need to see it all. Your Threat Intelligence solution should only provide analysts with the information and intelligence they need to make responsive and proactive decisions. It is therefore necessary to invest in a Threat Intelligence platform.

3rd step: the choice of a Threat Intelligence platform

When the amount of data collected becomes too large to be managed “manually”, it is time to invest in a Threat Intelligence platform and go beyond simple “passive” data collection (also called event data analysis).

The Threat Intelligence platform will automate a number of actions and further contextualize the recovered information. It will help security teams prioritize alerts according to their dangerousness and make good decisions, including categorizing data (such as type of attack and threat). To do this, the contextualization of information is essential, and the platform should always be as up-to-date as possible.

Should you create your own Threat Intelligence platform or buy an existing solution?

Again, it depends on your needs, your organization and your resources:

  • Do you have the resources and skills to build and maintain a Threat Intelligence platform?
  • Can you create a better and/or more profitable platform than the existing ones?
  • Does your organization have needs that are too specific for standard platforms?
  • Will your in-house platform be able to keep up with the constant evolution of threats?

 It may be interesting to build your own platform if:

  • your resources allow you to build and maintain the most comprehensive Threat Intelligence platform possible for at least 3 to 5 years;
  • your needs do not match what is available on the market.

Otherwise, using a supplier or manufacturer of Threat Intelligence platforms will most likely be more advantageous.

Step 4: Let's do it again!

Once the platform has been chosen and implemented, all that remains is to restart the process. Why? Because a Threat Intelligence program is iterative and must be continuously improved and updated. Sources will become obsolete and new ones will appear to replace or supplement them in the face of new threats.

Each time sources are added, a verification period is required to ensure that they do not generate too many false positives and add value to your IT solution. It will also be necessary to enrich existing data with new means, whether using other sources or algorithms.

The more mature the program, the more comprehensive and context-rich it will be. Of course, no more information should be added than can be effectively managed. As with all security solutions, the most important thing is to find a balance between what you can process and what you need to maintain or increase your company’s security.

Threat Intelligence’s best solutions are able to contextualize their information and assess their alerts using multiple external sources and internal indicators. As a result, the alerts that are ultimately pushed to analysts are fewer and of much higher quality, allowing them to make decisions more easily, quickly and proactively.

Maintain a strategic approach

Although it is essential to be able to identify malicious traffic and react to it instantly, this should not be the final goal of Threat Intelligence. Adopting a more strategic approach will allow a company with a sufficiently mature program to:

  • identify emerging threats to its sector, competitors, vendors and suppliers;
  • obtain useful information for the entire security strategy;
  • discover new threats, methods of attack and exploits before they become a danger;
  • analyze threat trends and thus be able to organize its resources in such a way as to protect itself from them.
About the blogger

Mathilde Poulbot is an engineer apprentice at Orange Cyberdefense. A graduate of the Saint-Malo University of Technology, she is currently studying at the Ecole Nationale Supérieure d’Ingénieurs de l’Université de Bretagne-Sud (ENSIBS).

Découvrez les blogueuses du Blog Orange Cyberdefense