Build a world-class threat intelligence programme

Arafa Anis.

---

Threat intelligence and threat hunting have been two concepts dominating the world of cyber security in the past few years. These concepts and what they entail have puzzled many and led to cyber security teams acquiring new tools and rethinking their security posture.

However, we still see organisations facing challenges understanding the importance of having a threat intelligence programme and building one for themselves. This is where the Foundstone team at Trellix comes in. We help organisations find out what gaps they have in their threat intelligence programme and build a programme for them if they do not have it yet. In this press release, we will explore what organisations are struggling with in terms of threat intelligence, how the Foundstone team can help and what a threat hunting programme entails.

For a long time, being cyber secure meant to have tools in the environment that generated alerts and then responding to these alerts and remediating them. This reactive method of securing the network meant that a whole slew of malicious presence could persist below the surface just out of notice if there was no activity that generated these preconfigured alerts. This presented a huge gap in the approach where security was handled in a reactive manner rather than being proactive. Now, where does a threat intelligence programme come in? How does it help organisations stay ahead of the game when dealing with newer and more intimidating adversaries every day? Customers are struggling to keep up with their adversaries, especially as adversaries are finding newer ways to accomplish their missions every day. With time, there has been more attention paid to proactively look for threats in the environment that might have gotten through the preconfigured rules of the cyber security tools in question. Zero-day threats also brought further awareness to this field of research as they cannot be stopped through pattern matching alerts.

IBM’s Cost of a Data Breach 2022 report shared that the average data breach costs its victims USD 4.35 million; detection and escalation costs account for the most significant portion of that price tag, USD 1.44 million. Lowering the detection cost is where threat intelligence has significant potential. With the proper threat intelligence, organisations will be able to detect attacks and respond to them faster, thereby reducing the detection time and the impact of the incident.

For actionable threat intelligence, customers need information about the strategies being used by the attackers. Customers also require this information in a usable format so that they can search through their environment for the attackers and their remnants. This data, however, is not always easy to find and neither is it available ready to be used. Organisations also require adversary information based on the organisation's own region, sector and industry, among other factors. This has been a major pain point for organisations globally. Customers require specific tools and services that can gather threat intelligence data for them. They also require experienced threat intelligence analysts to review this data and its relevance. From the data acquired, the analyst will have to identify the attacker’s mechanisms and translate that to information that can be used to conduct searches across the environment.

As consultants working with customers every day to better their security posture, we come across organisations that ask us for assistance in understanding threat intelligence and implementing a threat intelligence programme as part of our Advanced Cyber Threat Services.

Trellix, with its rich knowledge of cyber threats and threat hunting, can assist clients with building out a threat intelligence programme. According to the organisation’s needs and maturity level, Trellix can assist with all aspects of the programme, including people, process and technology. To seek out threats proactively, an organisation requires information on threats where the data is accumulated, filtered, analysed and shared via threat intelligence. Some of this intelligence can be acquired through cyber security tools that provide the service and subscriptions to threat intelligence providing organisations such as an information sharing and analysis centres (ISACs).

As part of our Threat Intelligence Services, Trellix Advanced Cyber Threats Services team can build a threat intelligence programme for the organisation that can receive disparate, raw threat intelligence data from various sources, cleanse it, sort it, give it proper context and make it actionable for the organisation through the use of tools and threat analysts’ workflow. Having threat intelligence pertinent to the organisation and performing routine threat hunts is vital when monitoring a dispersed network for breaches and data exfiltration.

Our services include performing a gap assessment to evaluate where the organisation is at present in terms of threat intelligence services and then building out a mature threat hunting programme. This includes documenting all the processes and procedures of the threat intelligence and threat hunting life cycle. The Trellix team can also share threat intelligence reports with the client in an ongoing manner that has information on threat vectors relevant to the organisation, their region and their sector. These reports share information about known threat actors along with their tactics, techniques and procedures (TTPs). The threat analysts can use this data to understand the risk to the organisation and how a breach might occur. They can then go on to secure the environment while hunting for specific threats in the network.

Our programme covers building the expanse of the threat intelligence gathering and threat hunting process from start to finish and includes interviews with key personnel and review of all operational documentation. The key goals during the engagement are to answer some of the following questions: What is the status and state of the current threat intelligence team and processes? Could they be more effective? We as Trellix consultants will call on our expertise and experience of SOC operations, incident response and threat intelligence to share advice for both current and future threat intelligence programme operations.  Below we mention the three phases of the programme, along with their description.

• Gap assessment

To start off the threat intelligence programme build process, we have to first understand the maturity of the present-day programme if it exists. To accomplish that the project is led with a gap assessment of the overall threat intelligence programme. In this gap assessment, we aim to review all relevant documentation of the programme, interview all the stakeholders and assess the processes being followed and tools that are in use. Both the threat intelligence gathering process and the threat hunting process are put under scrutiny and reviewed against best practices. If the organisation must be compliant with specific local or international regulations, comparisons are drawn with the regulations and existing threat intelligence programme to assess the gaps. Once the assessment is complete, a gap assessment report is created with recommendations to bridge the gaps. Following are the steps performed for the gap assessment:

• Review existing documentation in the threat intelligence programme.
• Review existing tools and processes in the threat intelligence programme.
• Identify gaps present in terms of threat intelligence and threat hunting.
• Report on gaps with recommendations to bridge gaps pertinent to people, process and technology.

Threat intelligence programme build out

Once the gap assessment is completed, we aim to have a thorough understanding of how the organisation can work with their present-day processes to build out a mature threat intelligence programme. Depending on the organisation, their sector, their region and their maturity level, a customised plan is developed to build a threat intelligence programme. This plan includes improvements in regard to people, process and technology. Multiple workshops and trainings are provided to the threat intelligence analysts to teach them about gathering threat intelligence and conducting threat hunts in a routine manner. This includes building a threat intelligence profile for the organisation on their threat intelligence platforms and linking the platform to the existing security operations tools. We also provide training to use open source tools and curate threat intelligence reports to educate the security team. Documentation is created for each part of the programme, ie, an overall threat intelligence process document, reporting forms and templates, standard operating procedure, service catalogues, etc. There are trackers built to track the key performance indicators (KPI) of the threat intelligence programme too. Following are the steps taken to build a threat intelligence programme:

• Create a customised plan for the organisation to build their threat intelligence programme, taking into consideration the maturity level, sector, region and regulations involved.
• Create and update documents in the threat intelligence programme, eg, threat intelligence process document, standard operating procedure, service catalogue, reporting templates, etc.
• Train threat intelligence analysts with hands-on workshops and training.
• Integrate threat intelligence processes with other parts of cyber security, ie, incident response, vulnerability management, red teaming.

Ongoing threat intelligence services

Once the threat intelligence programme is built, the analysts will require ongoing intelligence to curate their threat hunts. We provide ongoing threat intelligence in the form of monthly or quarterly reports, which are part of the threat intelligence services. This report is based on the organisation's custom threat profile and is built with their region, sector and maturity in mind. These reports created by the Threat Intelligence Group at Trellix ensure that the organisation can stay one step ahead of adversaries and conduct informed hunts across their organisations. Following are the steps taken to perform ongoing threat intelligence services.

• Build a custom threat intelligence profile for the customer using Trellix and other proprietary tools.
• Provide custom, contextualised threat intelligence reports to the customer in a monthly or quarterly basis.

By going through the process of building a threat intelligence programme, an organisation not only ensures additional security for their environment, this build out also helps produce trained threat intelligence analysts who will be working with pertinent threat intelligence that has been configured especially for the organisation to receive. Organisations can also stay ahead of the curve when defending themselves against newer attackers by looking out for tactics, techniques and procedures that are shared through threat intelligence. Some further benefits are also highlighted below:

Benefits for the organisation

• Find out what gaps exist in your environment in terms of threat intelligence and threat hunting.
• Recommendations based on best practices, industry standards and real-world experience.
• Build a mature threat intelligence programme in phases following the customised plan.
• Document all the processes and procedures required for the programme.
• Train analysts for optimised and proactive threat hunting.
• Meet regulatory and compliance requirements.
• Receive ongoing, custom and actionable threat intelligence specific to your organisation and environment.

Among next steps, organisations can choose to perform cyber threat simulations and purple teaming to ensure the processes put in place are improving the security posture. Organisations can also seek to better train their analysts through a weeklong threat hunting course led by the Advanced Cyber Threat Services team. For the programme to be successful, the threat intelligence process will need to be maintained and updated routinely with changes in the organisation, including new tools or processes.