{"id":12758,"date":"2018-07-10T08:10:11","date_gmt":"2018-07-10T16:10:11","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/07\/10\/news-6526\/"},"modified":"2018-07-10T08:10:11","modified_gmt":"2018-07-10T16:10:11","slug":"news-6526","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/07\/10\/news-6526\/","title":{"rendered":"So you’ve been asked to start a threat intel program"},"content":{"rendered":"

Credit to Author: William Tsing| Date: Tue, 10 Jul 2018 15:00:00 +0000<\/strong><\/p>\n

Ever since the Mandiant APT1 report landed like a bomb in private sector security reporting, threat intelligence has been a hot buzzword many companies have been chasing over. \u00a0But what is threat intelligence? \u00a0What do you need to execute it well? \u00a0And how many new tools do you need to buy? \u00a0The ambiguity around these questions leaves many people wondering “How on earth do I start a threat intel program?”<\/p>\n

Maybe don’t?<\/h2>\n

Threat intelligence is a very new, very popular buzzword in the security industry. \u00a0But as a capability, it’s both very expensive, and meant to sit on top of a mature security program. \u00a0Do you have mitigations in place against the OWASP top 10<\/a>? \u00a0Have you vetted your existing vendors<\/a> for efficacy? \u00a0Do you have a fully staffed and trained SOC, or are your analysts working double shifts? \u00a0If you don’t have clear answers to those questions, your security program probably is not mature, and would not really benefit from an additional costly function.<\/p>\n

Cost can be a serious concern. \u00a0While SOC analysts have a fairly wide spread for salary range, threat intelligence analysts with government training are not that common, resulting in a salary premium. \u00a0Below you can see a relatively common private sector intelligence analyst salary as contrasted with a salary for a government trained analyst.<\/p>\n

\"salary<\/p>\n

Glassdoor threat intel salaries for the private and public sector<\/p>\n<\/div>\n

A well trained threat intel analyst embedded in a mature security team can be an outstanding force multiplier, but without a well oiled environment to place them into, they can inflate staffing budgets without providing a significant return on investment.<\/p>\n

But I have to<\/h2>\n

If you must start a threat intel program, the first step is to look for the components you already have. \u00a0Spending on threat intel vendors or employees with highly specific experience can lead to astronomical costs, and raises the odds that enterprise leadership won’t find value in the team. \u00a0So start small: almost every Tier II SOC has senior members with a wealth of experience in the threat landscape, and an itch for more responsibility. Rather than casting a line into a very tight market for new staff, it’s much more cost effective to send those SOC members to intelligence training, then task them with creating training for everyone else. \u00a0Some companies have accomplished this via transitioning SOC staff from monitoring to threat hunting.<\/p>\n

Threat hunting – intel you should already be doing<\/h3>\n

Per Wikipedia, “Cyber threat hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” \u00a0In practice, what this amounts to is training analysts to tell the entire story of a threat: where did it start, what TTPs were employed in the attack, what systems were touched, and what corroborating information can be gained from public data. \u00a0When a responder is trained to tell the full story of a threat in this manner, organizations can not only respond to a threat, but can also learn from it and adjust mitigations accordingly.<\/p>\n

Tools you need and tools you don’t<\/h3>\n

First and foremost, you do not need a third party threat intelligence feed. \u00a0It’s a nice to have, but the reality is that external vendors cannot provide data specific to your company, and frequently struggle to offer relevant data filtered by industry vertical. \u00a0Vastly more important is to make appropriate use of the data you have. \u00a0Here’s a non comprehensive list of data that many companies collect, but don’t exploit effectively:<\/p>\n