An information security consultancy, MWR InfoSecurity, has released a CPNI and CERT-UK supported study titled Threat Intelligence: Collecting, Analysing, Evaluating.
The infosec firm says that it aims to remove the confusion around threat intelligence and gives vendor neutral advice that can be scaled to sectors, sizes of organisation, and organisational goals. The firm says that little consensus exists as to what threat intelligence is, and many companies risk investing huge sums with little effect on security. The report, authored by MWR senior security researcher Dr David Chismon, breaks down the range of things marketed as threat intelligence into types, and advises how to build and evaluate a threat intelligence programme – and how not to build one – as well as details on collecting, analysing, acting on and sharing the information obtained.
Dr David Chismon said: “Threat intelligence is rapidly becoming an ever-higher business priority with a general awareness of the need to ‘do’ threat intelligence, but vendors are falling over themselves to offer a confusingly diverse array of threat intelligence products. “There is a risk that in the hurry to keep up with the threat intelligence trend, organisations will end up paying large amounts of money for products that are interesting but of little value in terms of improving the security of their business. ‘Doing’ threat intelligence is important – but doing it right is critical.”
To address this, CPNI and CERT-UK contracted MWR InfoSecurity to review the area and provide a framework for threat intelligence. The resulting paper is the product of literature reviews, internal experience, and a large number of interviews with people involved in threat intelligence and related fields across a range of organisations.
Chismon said: “By taking threat intelligence back to its intelligence roots and applying the same strict principles, it quickly becomes clear that effective threat intelligence focuses on the questions that an organisation wants answered, rather than simply attempting to collect, process, and act on vast quantities of data. Yet, it’s vital to be asking the right questions in the first place. Hence this paper looks in detail at the cycle of setting requirements, collecting and analysing data, turning the results into a consumable product and evaluating the usefulness of that product – which then feeds back into asking ‘better’, more useful questions for the future.”
A “Quick Wins” section is included with actions that organisations can take today, regardless of staff and budget constraints, to improve internal threat intelligence practices. Importantly, it assumes no specific security infrastructure, such as SIEM tools, IDS tools or log aggregation and analysis.
The full Threat Intelligence: Collecting, Analysing, Evaluating report can be downloaded from: https://www.mwrinfosecurity.com/articles/intelligent-threat-intelligence/
