Threat intelligence is a critical part of an organization’s cybersecurity strategy, but given the speed with which the state of cybersecurity is changing, is the traditional model still relevant?

Whether you’re a cybersecurity expert or someone looking to build a threat intelligence program from scratch in 2021, this simple framework transforms the traditional model, so it can apply to today’s landscape. It builds on the technologies available today and can be implemented in four simple steps.

A quick overview of the threat intelligence framework

The framework we’ll be referring to here is called the Intelligence Cycle, which is broken down into four phases:

This is the traditional framework that you can use to implement a threat intelligence program in your organization. Let’s take a closer look at each step, update them for modern times, and explain how you can follow them in 2021.

To do this, we’ll use a credential leak use case as an example, which is a very important use case today. According to Verizon’s 2021 Data Breach Investigation Report, credentials remain one of the most sought-after types of data, and it is this type of data that is compromised the fastest. As such, credential leakage is an area organizations of all sizes need to know and understand, making it an optimal choice for illustrating how to build an effective threat intelligence program.

1. Define a direction

The first step in this process is to set the direction for your program, which means you need to define what you are looking for and what questions you want to ask and answer. To help you, you can create Priority intelligence requirements, or PIR, and a desired outcome.

For your PIRs and the desired outcome, you should aim to be as explicit as possible. In the event of a credential leak, for example, let’s define our PIR as: “I want to identify all usernames and passwords belonging to my employees who have been exposed to an unauthorized entity. ”

We have selected these credentials for this example because they are risky for the organization. Depending on your needs, you can identify different credentials that pose a higher risk, but this is the type we are focusing on for this use case.

With this very specific PIR described, we can now determine a desired outcome, which would be something like: “I want to force reset the password for one of these passwords that are used in the environment of the business before threat actors can use them.

This is crucial, and later we will see how the desired outcome influences how we build this threat intelligence program.

2. Identify the data to collect

Once you have defined your PIRs and the desired outcome, you need to map the sources of intelligence that will serve management.

For this use case, let’s identify how threat actors get credentials. Here are some of the most common sources:

• Endpoints (typically harvested by botnets)

• Third party offenses

• Code repositories

• Forum Posts / pastebin

• Dark web black markets that buy / sell credentials

In the past, you may have turned to individual vendors who can help you in each of these areas. For example, you might have worked with an organization that specializes in endpoint security and one that might tackle incident response management for third-party breaches. But today, you’re better off finding a provider who can take care of all the sources you need and provide full coverage for all areas of risk, especially for something like credential leakage.

Either way, by mapping these sources, you can define the areas you need to focus on for analysis.

3. Select your analysis approach

Then comes the analysis. You can take two approaches:

1. Automated analysis: You can take advantage of AI or sophisticated algorithms that will classify relevant data into credential leak alerts, where emails and passwords can be extracted and extracted.
2. Manual analysis: You can manually analyze the information by pulling all the data together and having the analysts on your team review the data and decide what is relevant to your organization.

The biggest advantage of manual analysis is flexibility. You can put more human resources, intelligence, and insight into the process to only bring out what’s relevant. But there are also downsides – for example, this process is much slower than automated scanning.

In the first phase of our program, we specified that we wanted to force password resets before the actors of the threat exploit them for a cyberattack. This means that speed is extremely crucial in this use case. Now you can see how the desired outcome helps us make a decision on what kind of approach we need to take for analysis.

Automated analysis also requires significantly fewer resources. You don’t need a bunch of analysts to sort through the raw data and bring out what’s relevant. The classification and alert of identifier leaks are here fully automated. Additionally, if threats are automatically categorized, they can probably be automatically remedied.

Let’s take a look at this in practice: Suppose your algorithm finds an email and password mentioned on a forum. The AI ​​can categorize the incident and extract the relevant information (e.g. email / username and password) in a machine-readable format. Then a response can be applied automatically, such as forcing a reset of the logged in user password.

As you can see, there are pros and cons for each approach. When you weigh them against the desired outcome, it’s clear that we should go for an automated approach for our credential leak use case.

4. Disseminate the analysis to take action

Finally, we come to the final phase: broadcasting. Traditionally, when it comes to the intelligence cycle and the dissemination of threat intelligence, we are talking about sending alerts and reports to relevant stakeholders for review, so that they can take action and respond accordingly. result.

But, as our example in the previous section shows, the future (and current state) of this process is fully automated remediation. With that in mind, we don’t just need to discuss how we distribute alerts and information across the organization – we also need to think about how we can take the intelligence and distribute it to security devices to automatically prevent l attack ahead.

For leaked credentials, that could mean sending intelligence to Active Directory to automatically force reset password without human intervention. This is a great example of how switching to an automated solution can dramatically reduce remediation time.

Again, back to our PIR and the desired result: we want to force reset the password before the threat actor uses the password. Speed ​​is the key here, so we absolutely need to automate remediation. As such, we need a solution that pulls information from the sources we have mapped, automatically generates an alert with the extracted information, and then automatically remediates the threat to reduce risk as quickly as possible.

Here’s what detection and response should look like in 2021.

A simplified and modernized approach to threat intelligence

In summary, this revamped intelligence cycle is like how to create an effective threat intelligence program today.

Start by identifying your PIRs and the desired outcome. Next, decide on a collection plan, describing all the sources that will generate the relevant information. Then, for the vast majority of use cases, it is important to have an automated analysis algorithm to categorize alerts quickly and accurately. And finally, you need to move from manual delivery to automated remediation, which can dramatically reduce remediation time – something that is more critical than ever given the current state of cybersecurity.

By following these steps, you can create an effective threat intelligence program, and with that foundation in place, you can refine it until you have a seamless process that saves your organization time. and reduce risks at all levels.

Curious to know more? Discover Rapid7’s approach toautomatic detection and response here.