What to do with threat intelligence

Every organization has different levels of stakeholders that exist within each of its own IT security groups. This includes the frontline defenders working in the SOC up to the CEO of an organization. CTI informs the entire organization in this chain, and as such, the context it provides allows for tactical and strategic decision-making at every level along the way. Further, the context provided by the CTI allows stakeholders to identify and prioritize which of the pieces of intelligence should be utilized and actioned first.

From the start, it's a no-brainer to utilize technical CTI to improve the effectiveness of internal security architectures to assist in blocking attacks or access to malicious C2, to identify vulnerable systems and patch software to reduce the security footprint of an infrastructure, and to identify possible security alerts and triage these events from the SOC and IT support groups.

The tactical CTI provided can assist with signature generation within your enterprise by focusing on blocking the TTPs utilized by the threat actors. This can be through the utilization of threat frameworks such as MITRE's ATT&CK framework (https://attack.mitre.org/), which we will discuss in greater detail in a later chapter, but it can be also utilized by operational groups such as incident responders, forensics, and security researchers to assist them in identifying and analyzing much larger and more complex attacks.

From the identification of any key event, these business organizations will look toward the CTI to assist in identifying numerous things, including the following:

• What tactics are being utilized by the threat actors targeting the organization?
• How does the attack work?
• Are there any additional attack characteristics elsewhere across the organization?
• What do we need to do to remediate immediately or at least stop an ongoing attack?
• What internal assets are they targeting?

Tactical CTI can accelerate the response to key events such as that referenced previously by providing context around security data and information. Additionally, security practitioners can continue to hunt and pivot off of indicators and information collected during the response process to enrich the operational investigation along the way. Further tactical CTI can assist with remediation. The knowledge of the threat actor's TTPs can assist in the identification of probable systems that have been compromised and help with the identification of IOC discovery during incident response and forensics.

Finally, the operational and strategic benefits could allow executives of an organization to make security posture improvement decisions for the corporation before they become a victim of an attack, allow for appropriate strategic investment into security, and most importantly, be the organizational cheerleader for security within the organization, putting the importance on security at every level of employee. Actions such as these will ensure the immediate security posture improvement of an organization, reduce the footprint of corporate risk, and keep the reputation of your corporate brand in good standing.