Argus - Fotolia

How to use threat intelligence in your business

Threat intelligence can be very handy, but just how useful and appropriate it will be depends largely on the security maturity of an organisation

One of the key challenges facing cyber security teams is how they should use their budget to best defend the business. There are countless suppliers promising to enhance security, but making a decision on where to invest that budget for the greatest impact is difficult.

Rather than trying to defend against every conceivable threat, cyber security teams should consider who might attack them, and their capabilities and motivation. One of the key factors in this is understanding these threats, and this is where threat intelligence can be a very handy tool.

At this point we should ensure that we understand the difference between threat information and threat intelligence, as many tools will claim to be more than they are.

Threat information is simply a stream of unsorted data; useful only if you can apply the analysis yourself and know how to use it.

Threat intelligence applies human analysis to it, tailoring it to your market and ideally your business. This provides much greater value, and when choosing a threat intelligence provider it is important to ask how their analysis is done and how much it is tailored to you.

However, to make best use of threat intelligence your organisation needs to be of a certain maturity level in terms of security. If your organisation is still putting in the basic defences, a one-off threat and risk analysis workshop would be much more suitable than paying for a threat intelligence feed.

Once you have chosen a threat intelligence provider, you then need to ensure that someone in the business is responsible for taking that information and incorporating it into your cyber defences.

This could be managed by a security operations centre (SoC) but, if not, you need someone knowledgeable in the team that understands the information that is coming from the threat intelligence.

Turning information into action

The intelligence feed can be wasted if there is no one capable of interpreting it into something actionable. Unfortunately, just paying for the feed is not enough.

Most threat intelligence suppliers will provide you access to a portal where you can log in and see the latest threat actors and the attacks they are conducting. Interpreting how this information can affect your business is key, and then it needs to be translated into actions.

An example situation would be that a specific threat actor such as a hacktivist group is known to be targeting businesses in your sector, and the threat intelligence feed shows they are using phishing and gives examples of the email they are using, taken from reports of their activity.

A sensible course of action would be to send an alert to all staff with a screenshot of the email, showing them what to look out for and how they should report the email if they see it. The staff should already have been trained on basic email defence techniques, and now you are able to build on this training by making people aware of a specific threat that has been identified from your threat intelligence feed.

A good threat intelligence feed can also allow you to invest wisely in technological defences. Use the threat intelligence to see what type of data the attackers are most likely to target in your business sector, and then focus your defences to protect those key assets, perhaps by using encryption at rest, or segregating the data and restricting who has access to it.  

Read more about threat intelligence

You can also create an intelligence-led incident response plan should these assets be compromised. It can allow you to prioritise assets that you may not have previously perceived as a high value target, if the intelligence says that the threat actors are targeting that data.

It also allows you to understand the attackers’ methods and therefore how technology might help prevent those attacks. For example, if the threat intelligence specific to your business sector is showing that the primary attack vector is email phishing with malicious attachments, a cloud-based sandbox system might be a wise investment.

To conclude, to use threat intelligence successfully, the way it is going to be managed and implemented must be thought about before the investment is made.

A quality threat intelligence feed is not cheap, so to use it effectively you need knowledgeable staff who are able to translate the findings and recommendations from the feed into something actionable for the organisation. If you can do this, it can be a powerful tool to help plan and respond to threats specific to your business.

Read more on Hackers and cybercrime prevention