
People often ask me, “What’s the purpose of cybersecurity?” I tell them that it serves to protect the valuable, intangible data assets of firms or private individuals, usually by trying to shrink the attack surface.
One way to achieve cybersecurity is to utilize threat intelligence research in your firm’s security plan. In this article, I will discuss the benefits of understanding and implementing a threat intelligence program.
Threat intelligence overview
To begin with, you have to understand threat intelligence. Having threat intelligence means that you:
- Understand the different tactics, techniques, and procedures that malicious actors use to comprise your company’s system and environment.
- Use that knowledge to create a more robust security posture, which is called having a “threat-informed defense.”
- Can engage with more security activities, like threat modeling.
Steps to a threat-informed defense
In order to use threat intelligence, it’s essential that you stay focused on your system and environment. You can do this by following these three steps:
- Find and understand where the holes and vulnerabilities are in your attack surface.
- Consider who wants to target your firm and what method(s) they’re likely to use.
- Use the MITRE Att&ck Framework to fill in any gaps that you didn’t find in your initial research.
The processes that threat actors use to comprise systems are different from industry to industry, and often from firm to firm. Keeping that in mind when you are designing your systems is crucial for creating a threat-informed defense.
(Explore threat intelligence and other key features of SIEM tools.)
Threat intelligence framework
So, now you know what threat intelligence is. You're probably wondering if there is an organized framework or process that you can follow to implement it in your firm’s security posture. There is, as it turns out, and it’s one that I believe all firms should be using in some capacity in their security departments: the MITRE Att&ck Framework.
The MITRE Attack Framework is used to map out the different techniques and tactics that malicious threat actors use to comprise different firms’ systems. It goes into detail about the technologies they use and the types of businesses they target.
(Read our comprehensive MITRE ATT&CK explainer.)
How MITRE ATT&CK works
Often known as TTP, the three main components of MITRE’s ATT&CK Framework are:
- Tactics
- Techniques
- Procedures
In this case, the tactics include the reasons why the attackers would want to attack your system and what they might be trying to do — such as privilege escalation, defense evasion or discovery. The techniques and procedures are the specific methods that they use to comprise your system. For example, if I were trying to do reconnaissance (which would be my tactic), there are many different techniques that I could use, such as:
- Active scanning
- Gathering victim host information
- Searching closed sources
MITRE includes an att&ck navigator that simplifies the whole process of understanding tactics, techniques and procedures.
Once you’ve got a good grasp of how your adversaries are thinking both before and while they are launching their attack, your team is one step closer to achieving a proactive rather than a reactive security posture.
Advancing your security posture
At this point, your team has gotten into the flow of doing threat intelligence research and speaking to other practitioners and vendors outside your firm to see how they are faring against similar attacks on their organizations. With that knowledge, you can now use your results to set up and do what are known as “purple team engagements.”
Purple teaming
“Purple teaming” is an organizational concept that reflects the idea of two teams (in this case, red and blue) working together to perform continuous testing and defend their organization’s security posture. They weed out the low-hanging fruit to make it harder for attackers to compromise their systems. By using threat intelligence research, they can create a positive feedback loop to continuously improve their organization.
Purple teaming allows you to:
- Close all the easy targets inside your systems
- Prevent analysts from getting burnt out on mundane tasks, leaving them time and energy to focus their efforts on threat hunting
- Enable more research on advanced new exploits that could compromise your firm
Integrating threat intel into SIEM & SOAR
As you do more purple team engagements and your attack surface becomes smaller, your security will become more mature and advanced. This, in turn, will allow you to integrate your threat intelligence research into your security devices, such as your SIEM (Security Information Event Management) or SOAR (Security Orchestration Automation Response) tools. With the knowledge you’ve gathered from your research and purple team engagements, you can improve your detection and monitoring rules as well as the various playbooks that you’ve built.
There you have it! In this article, we provided an overview of the ways in which a threat intelligence research program can pay huge dividends for your firm. The process might be slow at first, but if you keep at it, you and your CISO will both be able to sleep better at night knowing that your firm is well protected.
What is Splunk?
This article was written by Kenneth Ellington. Kenneth is a Junior Java Software Engineer and Cyber Security Professional. He graduated from the University of South Florida in 2020 with a degree in MIS and Cyber Security, and he has been working in the field ever since. Before jumping into software development, he worked as a Cyber Security Analyst specializing in threat intelligence research at a Fortune 100 company. In his spare time, he teaches webinars on how to use Splunk for security use cases.
This posting does not necessarily represent Splunk's position, strategies or opinion.