When it comes to threat intelligence, having the most accurate, relevant data on existing and evolving cyber threats is crucial. Actionable threat intelligence empowers security leaders to bolster their defences by pinpointing vulnerabilities targeted at their organisations. This focused intelligence enables them to prioritise security resources accordingly.
Consequently, it comes as no surprise that improving threat intelligence capabilities is one of the top tactical security priorities for security and risk leaders, per Forrester Security Survey, 2022, according to Brian Wrozek of Forrester, who was featured as a guest speaker in a recent Silobreaker webinar.
But what about threats that are better managed at the operational and strategic levels through threat intelligence? And how can you connect the dots between tactical intelligence and your organisation’s wider strategic posture in an actionable way?
These are the questions we will explore in this blog as we delve into insights from the webinar about how to prioritise and address risk with actionable threat intelligence, across the whole organisation.
What is actionable intelligence and how does it work
Actionable intelligence is specific, relevant and timely information that enables security teams to take concrete steps to identify and address threats, enhance their defences and mitigate security risks effectively.
Actionable threat intelligence is derived from a combination of data collection, analysis, and contextualisation. While specific methods may vary, it is typically collected from a wide range of sources that include open sources, deep and dark web sources, and technical feeds. It may also integrate with internal data sources, such as network logs, firewall data and threat feeds.
This intelligence is tailored to the unique priority intelligence requirements of an organisation. It provides insights like the nature of threats, their potential impact and guidance on how to respond. These insights allow security teams to detect, prevent and respond to threats in real-time – supporting ongoing defensive operations and informed decision-making.
How to prioritise risk, vulnerabilities and threats
According to Brian’s presentation on the webinar, threats are happening daily and in quick succession, and CISOs are hungry for information to help them make better decisions. Organisations need to be able to take decisive action and that’s where threat intelligence is most valuable.
When it comes to cyber risk prioritisation, there are different types of threat intelligence that can be leveraged in different ways, including strategic, operational and tactical intelligence, as described in Forrester’s recent threat intelligence best practices report.
According to Brian’s presentation on the webinar, Strategic threat intelligence is high-level and the audience is typically CISOs or other business executives. It comes in the form of finished reports and provides a more holistic, longer-term view of threats. Operational threat intelligence pertains to the day-to-day security operations of your security team. Tactical threat intelligence focuses on specific indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) that have an immediate impact on security operations centres’ threat detection and response efforts.
Understanding these distinctions can help your organisation with risk prioritisation and utilise threat intelligence more effectively.
Examples of risk-based decision making
Tactical threat intelligence
Starting with tactical cyber threat intelligence, this involves the collection, the analysis and dissemination of actionable cyber intelligence. The first example is escalating a patch deployment.
According to Forrester, Every day, new vulnerabilities are released, creating an operational headache for security professionals managing large or globally distributed environments. Attempting to patch every high vulnerability within 30 days can be a struggle. Threat intelligence enables security teams to adopt a more selective approach. It helps them identify actively exploited vulnerabilities and those targeted by threat actors within your industry. This selectivity allows for a prioritised patch deployment strategy and better use of limited time and resources.
Another common use case of tactical intelligence is taking down rogue domains. For instance, where a threat actor creates a deceptive website, such as “Forester” with a single ‘r,’ for the purpose of social engineering employees or customers, the use of threat intelligence can swiftly detect and facilitate the takedown of such fraudulent sites.
According to Forrester’s research, this proactive approach helps minimise potential risks and impacts associated with such attacks. Moreover, this takedown service extends beyond domains and can apply to other deceptive elements, like counterfeit social media profiles or rogue mobile apps posing as a legitimate company’s app in app stores. Utilising tactical threat intelligence can guide decisions to address the most critical risks promptly, adding significant value by offering rapid protection for both your company and its customers.
Operational threat intelligence
According to Forrester, In terms of operational threat intelligence use cases, this type of threat intelligence also involves the collection analysis and application of actionable intelligence, but it’s designed to support your ongoing defensive operations. It helps the decision-making process across your entire cybersecurity infrastructure.
This differs from tactical intelligence because it provides a much more comprehensive understanding of specific threat actor groups, highlighting their motives, capabilities and intent. It enables threat hunting – taking the TTPs of a particular threat actor group and using that information to find evidence of that threat actor or malicious software within your own environment.
Operational intelligence takes more effort and proactivity to action, and it is increasingly being used to manage customer and third-party risks. If security issues with a strategic partner or vendor are spotted, sharing that threat intelligence allows you to work with them to mitigate that risk. This then also protects your organisation from any potential attacks that could funnel through that provider and cascade into your environment.
This type of intelligence empowers organisations to better prioritise their efforts based on the potential impact and likelihood of threats.
Strategic threat intelligence
According to Forrester, Strategic cyber threat intelligence focuses more on the long-term view of risks – the overarching threats and risks faced by your organisation. This includes how the threat landscape is evolving and what the capabilities and intentions of different threat actors are.
For example, if there has been a marked rise in ransomware attacks targeting the healthcare industry, healthcare industry CISOs may need to consider upgrading their backup systems to ensure that if data is compromised, it can be restored – minimising data loss and downtime, and ensuring continuity of care. They may also need to build a more aggressive incident response playbook.
Similarly, if ransomware attacks are targeting particular regions, it’s vital for businesses looking to expand in those areas to understand the risks. In terms of mergers and acquisitions, are there any nation-state hackers to worry about and how would that impact the acquisition?
Geopolitical risks may not change the mind of the executives to move forward with expansion plans, but it may prompt them to increase their investments in security technology. This is particularly relevant when considering setting up facilities in regions with higher risk profiles than previous locations.
Solutions for actionable threat intelligence
Brian’s presentation suggests that whether threat intelligence is strategic, operational or tactical, actionable intelligence can significantly enhance business decision-making, both in the long and short term. Armed with the right intelligence, organisations can confidently adjust their priorities and resource allocation to better align with the changing threat landscape.
But the time and resources required for intelligence teams to manually collect, process and analyse at scale are a significant obstacle to generating actionable intelligence.
Silobreaker collects and connects all your intelligence data, accelerates analysis, and brings reporting and communication together in a single workflow to save time, increase ROI, and reduce risk faster. Silobreaker starts by helping you identify effective priority intelligence requirements (PIRs), then automatically selects, collects and aggregates the most comprehensive range of open source, deep and dark web and finished intelligence sources.
The Silobreaker Relevance Engine tunes out false positives and reveals connections between threat actors and Tactics, Techniques and Procedures targeting your technology, organisation and industry. By leveraging Silobreaker’s capabilities, businesses can enhance their ability to prioritise risks effectively, make informed decisions, and proactively safeguard their digital assets against evolving threats.