Surely, you’d like to strengthen your threat intelligence strategy.
Even the most jaded of us would agree.
That’s possible, I suppose. However, this isn’t how it should be.
Let me give you an example of what I’m talking about.
To put it simply, the problem is that when one moves toward perfecting their threat intelligence strategy, they lose sight of the big picture.
One goal drives the gathering, disseminating, and application of threat intelligence:
To keep or improve profitability by reducing operational risk.
That, of course, is no simple task.
There has never been a greater risk of long-term damage because of data breaches, which are becoming more and more widespread.
What am I trying to get at?
This is it. Because threat intelligence is such a vast topic, it’s only natural that we strive to gather as much information as possible on the subject. However, this isn’t always helpful. This isn’t the case.
Intelligence activities can be focused on very precise business goals (e.g., to preserve or improve profitability) so that a small amount of extremely valuable intelligence can be generated from this large subject matter.
Let’s look at some strategies to improve your threat intelligence strategy with this in mind.
Passive Intelligence Gathering Must Be Replaced with Active Measures
There are three main methods for acquiring information about cyber threats.
When signals, typically those used for communication, are intercepted, and analysed, it yields signals intelligence (SIGINT). Your networks will be monitored for any incoming signals.
Open-source intelligence (OSINT) is derived from information that is readily available to the general population. To be precise, this encompasses all forms of print media, as well as radio and television. We’re using Internet-sourced intelligence for our goals, whether it’s through search engines or “crawling” technology like Google.
Humint, or human intelligence, has its own set of advantages and disadvantages. SIGINT and OSINT rely heavily on automated software to acquire data, but HUMINT relies on human analysis. The threat actor communities themselves could be human sources.
Are there any other factors to consider before making your decision?
The value of threat intelligence is that it allows us to be more proactive in our approach to security, so this is really a depth versus breadth debate.
Most countermeasures will be informed by passive threat information gathering, which will yield enormous amounts of data… However, active intelligence can reveal specific hazards that could otherwise cause catastrophic damage.
Using both is, of course, the best solution.
It all comes down to one thing. HUMINT continues to be heavily invested in by nation-states, but most organizations simply lack the funds to do so.
Because of this, it is tempting to rely only on OSIS. Many fantastic platforms exist to take advantage of it because it’s freely available in large quantities and produces some excellent results.
Then again, that would be a bad idea.
It is possible to identify anomalies peculiar to you by spending time and resources analysing your own inbound traffic (SIGINT). In the constant battle to maintain or improve profitability, this is clearly essential.
Second, obtaining HUMINT data isn’t as difficult as it first appears. Even though human “tip” data can be found all over the Internet, compiling and analysing it is tough. This is where threat intelligence platforms shine the brightest.
Let’s not get into the nitty-gritty here; this is an OSINT/HUMINT hybrid. An effective threat intelligence solution can provide access to a wide range of useful HUMINT sources without necessitating an extensive intelligence collection effort of your own.
Isn’t it wonderful to be alive now?
To Build or Not? Take the Risk and Pick
It’s difficult to have adequate threat intelligence, and that’s part of the problem.
Most businesses get their start on a small scale. To better protect their company’s networks, a few “tech men” could start reading security blogs and forums, as well as exploit databases.
Of course, as they search, more is discovered.
Eventually, the project becomes unmanageable and requires action. A simple threat intelligence program can be put together in a short period of time… and for the time being, everything seems to be going swimmingly.
A few months go by, and then it’s back to normal. For any system to be useful, it must first be able to identify its weaknesses.
Isn’t it clear where this is going?
At some point, continued progress is no longer possible. The platform must either be created from scratch or replaced with a vendor-built alternative.
It’s the age-old question: Do you build, or do you buy?
Because so many variables and questions must be considered, I’m afraid I can’t provide you with any advice.
Is there a need for the platform to grow? Is it possible for you to create one yourself? Is it possible for you to outperform everyone else?
In any IT project, you’d want to know the answers to these questions. When it comes to your threat intelligence platform, there are two questions that I believe must be asked:
- Were previous vendor-built platforms insufficient for your organization?
- Is it possible for an in-house platform to withstand the ever-changing threat landscape?
A complete threat intelligence platform that can be maintained for at least three to five years may be worth the effort.
It’s also possible that you’ll be compelled to construct your own platform if vendor-built options aren’t sufficient for your firm.
Those that don’t fall into these groups, on the other hand, will benefit greatly from vendor-built platforms.
Companies that specialize in protecting organizations from cyberattacks are always working to improve their products. Though the cost is higher than expected, entrusting the experts could be a wise move that pays off in the long run.