Every organization is extremely worried about the data they hold and how to secure it. The sensitivity toward data is at an all-time peak. In our effort to keep data safe and be proactive in detecting any threat toward it, we must have proper and effective threat intelligence in place. Threat intelligence can be achieved by acquiring specific threat information (intelligence) about various systems, processes, network, applications, perimeter defense mechanisms, and other IT assets. This data is then collected, analyzed, and enriched to provide proactive and actionable threat intelligence. One of the reasons threat intelligence is so important is because the threats of the current generation are highly sophisticated, and difficult to detect. We must acquire very specific information and perform a search for the signs of compromise with actionable content from any threat-intel source. To stay ahead of advanced threats, it is essential that we feed our analytic and correlation systems with proper threat data.
Any effective and matured threat-intelligence system must be able to collect and categorize threat information in real time to produce actionable threat intelligence for the SIEM and incident-response systems to analyze and correlate the collected threat information with the security alerts and events they are monitoring. These threat alerts from the threat-intel system will also empower the SOC professionals to create custom signatures for further detection. Threat intelligence systems gather various information related to incidents, events and logs, security vulnerabilities, and recent and past attack data. This includes detection data from security and network devices of the organization along with information from external threat feeds. You can also set up a honeypot system to collect attack information and use it as threat data. Data collection needs to be focused and meaningful for the organization that intends to use it, because every business is different, with distinct needs and types of infrastructure. Threat intelligence collection and feed need to suit each business. Non-relevant intelligence data will lead to wrong assumptions, so the potential to miss the attack or compromise is greater. For the threat intelligence to be effective, the collection of intelligence data must be done in a centralized manner, as the systems collects threat and vulnerability information from a wide range of locations and devices to correlate data. You must collect data from both internal and external sources, as combined they will provide more detailed information on threats and attack vectors specific to your industry or organization. Also focus on collecting information about any ongoing global attack and its attack vectors, related mitigation instructions and detection parameters from agencies such as government CERT, NIST, and ENISA, along with industry sources, such as Cisco, Symantec, McAfee, Microsoft, and RSA. You may also focus on open source threat intel, such as OSINT, SANS Internet Storm Center, and Open Threat Exchange. All this collected threat information needs to be properly categorized and segregated based on threat types, and its importance to the business entity and function. It can, for example, be based on the geolocation of the business unit, business applications you are using, and IT infrastructures. Geolocation is important for identifying where the threat originated from so that you can focus on those business locations of yours as priority as they may have been affected; this could also help establish whether it is a targeted attack toward your organization or not or maybe towards a country. This scenario can help you pinpoint the most affected business function, application, or unit, and gives you room for remediation in advance or at least on time, before it's too late. It will also help you to define proper mitigation and detection strategies, allowing you to focus on effectively using your resources, as they are always limited regardless of the size of the organization.
A successful and matured threat-intelligence system must be able to generate and distribute reports about all of their findings and related investigations to help others involved in the security protection, investigation, and monitoring process to carry out their necessary work at various levels of operations, engineering, and strategic decision-making by governance bodies. Reporting can be via real-time methods or by publishing online advisories. The Security Threat Intelligence Advisory might also be shared among industry peers via threat-exchange mechanisms such as STIX or Traffic Light Protocol, for everyone to take advantage of and stay ahead of any attacks.