- How do I keep up to date on the overwhelming amount of information on security threats…including bad actors, methods, vulnerabilities, targets, etc.?
- How do I get more proactive about future security threats?
- How do I inform my leaders about the dangers and repercussions of specific security threats?
Threat Intelligence: What is it?
Threat intelligence has received a lot of attention lately. While there are many different definitions, here are a few that get quoted often:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. – Gartner
The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators – SANS Institute
Why is everyone talking about it?
The table below presents several common indicators of compromise that can be identified with threat intelligence feeds:
|Category||Indicators of Compromise||Examples|
||Malware infections targeting internal hosts that are communicating with known bad actors|
||Phishing attempts where internal hosts click on an unsuspecting email and “phone home” to a malicious command and control server|
||External attacks from hosts that might be infected themselves or are already known for nefarious activity|
Threat Intelligence capabilities
- Have an application whitelist and blacklist. This helps in preventing execution of malicious or unapproved programs including, .DLL files, scripts and installers.
- Check your logs carefully to see if an attempted attack was an isolated event, or if the vulnerability had been exploited before.
- Determine what was changed in the attempted attack.
- Audit logs and identify why this incident happened – reasons could range from system vulnerability to an out-of-date driver.