Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Operationalizing Threat Intelligence

You're reading from   Operationalizing Threat Intelligence A guide to developing and operationalizing cyber threat intelligence programs

Arrow left icon
Product type Paperback
Published in Jun 2022
Publisher Packt
ISBN-13 9781801814683
Length 460 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Joseph Opacki Joseph Opacki
Author Profile Icon Joseph Opacki
Joseph Opacki
Kyle Wilhoit Kyle Wilhoit
Author Profile Icon Kyle Wilhoit
Kyle Wilhoit
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Section 1: What Is Threat Intelligence?
2. Chapter 1: Why You Need a Threat Intelligence Program FREE CHAPTER 3. Chapter 2: Threat Actors, Campaigns, and Tooling 4. Chapter 3: Guidelines and Policies 5. Chapter 4: Threat Intelligence Frameworks, Standards, Models, and Platforms 6. Section 2: How to Collect Threat Intelligence
7. Chapter 5: Operational Security (OPSEC) 8. Chapter 6: Technical Threat Intelligence – Collection 9. Chapter 7: Technical Threat Analysis – Enrichment 10. Chapter 8: Technical Threat Analysis – Threat Hunting and Pivoting 11. Chapter 9: Technical Threat Analysis – Similarity Analysis 12. Section 3: What to Do with Threat Intelligence
13. Chapter 10: Preparation and Dissemination 14. Chapter 11: Fusion into Other Enterprise Operations 15. Chapter 12: Overview of Datasets and Their Practical Application 16. Chapter 13: Conclusion 17. Other Books You May Enjoy

What to do with threat intelligence

Every organization has different levels of stakeholders that exist within each of its own IT security groups. This includes the frontline defenders working in the SOC up to the CEO of an organization. CTI informs the entire organization in this chain, and as such, the context it provides allows for tactical and strategic decision-making at every level along the way. Further, the context provided by the CTI allows stakeholders to identify and prioritize which of the pieces of intelligence should be utilized and actioned first.

From the start, it's a no-brainer to utilize technical CTI to improve the effectiveness of internal security architectures to assist in blocking attacks or access to malicious C2, to identify vulnerable systems and patch software to reduce the security footprint of an infrastructure, and to identify possible security alerts and triage these events from the SOC and IT support groups.

The tactical CTI provided can assist with signature generation within your enterprise by focusing on blocking the TTPs utilized by the threat actors. This can be through the utilization of threat frameworks such as MITRE's ATT&CK framework (https://attack.mitre.org/), which we will discuss in greater detail in a later chapter, but it can be also utilized by operational groups such as incident responders, forensics, and security researchers to assist them in identifying and analyzing much larger and more complex attacks.

From the identification of any key event, these business organizations will look toward the CTI to assist in identifying numerous things, including the following:

  • What tactics are being utilized by the threat actors targeting the organization?
  • How does the attack work?
  • Are there any additional attack characteristics elsewhere across the organization?
  • What do we need to do to remediate immediately or at least stop an ongoing attack?
  • What internal assets are they targeting?

Tactical CTI can accelerate the response to key events such as that referenced previously by providing context around security data and information. Additionally, security practitioners can continue to hunt and pivot off of indicators and information collected during the response process to enrich the operational investigation along the way. Further tactical CTI can assist with remediation. The knowledge of the threat actor's TTPs can assist in the identification of probable systems that have been compromised and help with the identification of IOC discovery during incident response and forensics.

Finally, the operational and strategic benefits could allow executives of an organization to make security posture improvement decisions for the corporation before they become a victim of an attack, allow for appropriate strategic investment into security, and most importantly, be the organizational cheerleader for security within the organization, putting the importance on security at every level of employee. Actions such as these will ensure the immediate security posture improvement of an organization, reduce the footprint of corporate risk, and keep the reputation of your corporate brand in good standing.

You have been reading a chapter from
Operationalizing Threat Intelligence
Published in: Jun 2022
Publisher: Packt
ISBN-13: 9781801814683
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime