Managing threat intelligence in an increasingly challenging landscape

Managing threat intelligence in an increasingly challenging landscapeIn recent years, cybersecurity attacks are getting more serious and damaging to organizations of all sizes. More enterprises use threat intelligence to support them in response to security threats. A well-planned and executed threat intelligence initiative enables them to be well positioned against security risks.

Threat intelligence relies on data coming from various available data points internally and externally. Internal data includes security events or logs collected from different protection devices such as firewalls, intrusion detection or prevention systems. External data covers security news, blogs, white papers and so forth, which are provided by security vendors or public sources like HKCERT.

Hong Kong Interbank Clearing Ltd (HKICL) sees the importance of security threat intelligence for in-house security gatekeepers.

“You have to combine information from internal and external threat intelligence to get a better picture of your threat landscape. It allows your company to shorten the time to mitigation or pre-empt a cyberattack,” said Savio Hui (pictured, left), senior manager of technology risk management, IT architecture and governance division of HKICL at the Cloud Expo Asia 2017 in Hong Kong in May.

Types of threat intelligence

He noted threat intelligence falls into three types—strategic, operational and tactical—depending on purposes and target audience.

Strategic threat intelligence is of value to management positions such as chief information security officers (CISO) and IT managers.

It shows how an organization defends itself and its overall cyber security posture. The management can use it to measure cyber risk and make proper IT security investments and risk management decisions.

Operational threat intelligence is targeted at threat intelligence analysts, forensic analysts, and incident response teams.

This type of threat intelligence provides information to identify attacks at an early stage, extend investigation to identify other elements of the attack and analyze the attack’s nature and the potential impact.

Tactical threat intelligence is targeted at security operation center (SOC) analysts, infrastructure and network administrators. It shows what an organization needs to focus on when responding to security events or vulnerabilities.

An example of tactical threat intelligence is indicator of compromise (IOC) such as malware signature and malicious URL and IP address publication, signature of attack pattern on particular system vulnerabilities.

WannaCry case analysis

Hui offers advice on the application of threat intelligence in an organization.

“We must choose a suitable source of threat intelligence feed. It must be an analysis and actionable,” he said.