adimas - Fotolia

Building a threat intelligence framework: Here's how

A robust threat intelligence framework is a critical part of a cybersecurity plan. A top researcher discusses what companies need to know.

Cyber threat intelligence has become a critical tool for organizations trying to defend their networks. A 2019 survey from the cybersecurity-focused SANS Institute found that 72% of survey respondents are either consuming or producing cyber threat intelligence (CTI). Only 8% say they don't use it and have no plans to start. Yet how well organizations leverage CTI is a different story. The same survey found that only 30% of responding organizations have documented their CTI requirements while 37% have only ad hoc provisions. That leaves one-third of responding organizations without any defined CTI standards. How should organizations build a threat intelligence framework? TechTarget put that question, and others, to Tom Hegel, a security researcher with AT&T Cybersecurity. Here are his thoughts.

How does threat intelligence fit into cybersecurity today?

Tom Hegel: It's slowly shifting from a buzzword to an actual true program. It's been part of the cybersecurity industry, but it's becoming a specialty in terms of careers and training [materials], with experts trained in the cyber realm of threat intelligence.

What defines threat intelligence?

Hegel: Intelligence is basically evidence-based context to data. You think about all the data about everything that's happening on the internet. That's not too useful. But if you add context beyond that, you start organizing that data in a way that gets value out of it for various uses; that's intelligence. Defenders primarily benefit from threat intelligence because it allows them to understand what an attacker is doing and how to stop or prevent an attack -- or in our case, potentially track attackers to catch them proactively. But a dump of bad IP addresses, or something like that, isn't really threat intelligence; it's more of a data feed. However, if you say, 'Here's a bad IP address and for a five-minute period six months ago it was attacking this industry,' that's where you start to move into intelligence. The more sophisticated intelligence providers are providing reports and tracking mechanisms on adversaries which may specialize in compromising organizations that are a particular target. You can buy [threat intelligence] from really good sources and really bad sources, and you can also create your own source internally if you have the right analysts on your team. Something as simple as scraping Twitter can be an intelligence collection method.

Tom Hegel, AT&T cybersecurity researcherTom Hegel

Do most organizations make the most of threat intelligence?

Hegel: There are a lot of different ways we can benefit from threat intelligence. Some organizations tend to intake it and just add it to something that automates alerts and so forth. But I would say most organizations don't truly use it at this point, while the organizations that are using it are probably making the best of it.

Should everyone develop a security program that relies on a threat intelligence framework?

Hegel: It's a step in the right direction. One of the biggest issues I see is organizations trying to implement threat intelligence into a security program they have internally that just isn't ready for it. If you're unable to keep up with the basic best practices or standard operating procedures, such as patch update cycles, and you're adding threat intelligence on top of that, you're just adding more work [and] you'll get overwhelmed. So you have to be ready for it; you can't just dump it in there. A lot of the times it doesn't come down to the size of the organization but more just the sophistication of the [internal] team and program.

What needs to be in place at an organization in order for it to embark, or advance, its use of threat intelligence?

Hegel: The main issues really are the budget and the resources behind the team -- human and technical resources. And tools -- if they don't have the proper tools to implement and operationalize [the threat intelligence], then there's no reason to start buying it. And organizations also need the right toolsets and processes internally to intake and disseminate it, because intelligence that's just sitting there by itself or on a spreadsheet isn't useful. So you have to be able to automate the process of intaking it and then have processes built out so you can properly respond to things occurring based on that threat intelligence.

How can an organization ensure its threat intelligence framework is valuable and relevant?

Hegel: There is an incredible amount of intelligence that's being produced and shared online for free. The biggest challenge is you need to first define your goals and needs and purpose of consuming that intelligence. For a lot of organizations, the goal is obviously to protect the organization. But you need to define the specifics around it. That includes things you'd call intelligence requirements. An example would be [knowing] what actors are interested in targeting organizations that are relevant to me, based on my industry or my location or people I do business with. Having that defined allows you to focus on the types of intelligence you need to collect, in addition to what you actually can collect, based on your toolset. If you don't have the ability to consume [certain pieces of information] then there's no point in collecting that yet. You also need to prioritize everything, such as the impact and likelihood. That will allow you to go for the biggest bang for your buck first, rather than focusing on small things. That's a mistake organizations make: going after the threat being reported in the news [although they're more likely] to be compromised by the commodity things on the side.

So what's the right approach?

Hegel: You have to assess what is going to have the greatest impact and the likelihood of that against your organization. For most organizations out there, it's something like ransomware. Ransomware that gets in the right spot can shut down the business for weeks, permanently in some cases, but yet [many organizations] would focus on this big APT [advanced persistent threat] that's probably not even interested in their industry or organization at all. So they should prioritize what is relevant at that time and evolve as time goes on.

Editor's note: This interview has been lightly edited for length and clarity.

Next Steps

Threat intelligence programs need updating -- and CISOs know it

Dig Deeper on Security analytics and automation