Build a World Class Threat Intelligence Program

By Arafa Anis · August 16, 2023

Threat Intelligence and Threat Hunting have been two concepts dominating the world of cybersecurity in the past few years. These concepts and what they entail have puzzled many and led to cybersecurity teams acquiring new tools and rethinking their security posture. However, we still see organizations facing challenges understanding the importance of having a Threat Intelligence Program and building one for themselves. This is where the Foundstone team at Trellix comes in. We help organizations find out what gaps they have in their Threat Intelligence Program and build a Program for them if they do not have it yet. In this blog, we will explore what organizations are struggling with in terms of Threat Intelligence, how the Foundstone team can help and what a Threat Hunting Program entails.

What are customers struggling with?

For a long time, being cyber secure meant to have tools in the environment that generated alerts and then responding to these alerts and remediating them. This reactive method of securing the network meant that a whole slew of malicious presence could persist below the surface just out of notice if there was no activity that generated these pre-configured alerts. This presented a huge gap in the approach where security was handled in a reactive manner rather than being proactive. Now, where does a Threat Intelligence Program come in? How does it help organizations stay ahead of the game when dealing with newer and more intimidating adversaries every day? Customers are struggling to keep up with their adversaries, especially as adversaries are finding newer ways to accomplish their missions every day. With time, there has been more attention paid to proactively look for threats in the environment that might have gotten through the pre-configured rules of the cybersecurity tools in question. Zero-day threats also brought further awareness to this field of research as they cannot be stopped through pattern matching alerts.

IBM’s Cost of a Data Breach 2022 report shared that the average data breach costs its victims USD 4.35 million, detection and escalation costs account for the most significant portion of that price tag, USD 1.44 million. Lowering the detection cost is where Threat Intelligence has significant potential. With the proper Threat Intelligence organizations will be able to detect attacks and respond to them faster, thereby reducing the detection time and the impact of the incident.

For actionable Threat Intelligence customers need information about the strategies being used by the attackers. Customers also require this information in a usable format so that they can search through their environment for the attackers and their remnants. This data, however, is not always easy to find and neither is it available ready to be used. Organizations also require adversary information based on the organizations own region, sector, industry amongst other factors. This has been a major pain point for organizations globally. Customers require specific tools and services that can gather threat intelligence data for them. They also require experienced threat intelligence analysts to review this data and its relevance. From the data acquired the analyst will have to identify the attacker’s mechanisms and translate that to information that can be used to conduct searches across the environment.

How can Trellix help?

As consultants working with customers every day to better their security posture, we come across organizations who ask us for assistance in understanding threat intelligence and implementing a Threat Intelligence Program as part of our Advanced Cyber Threat Services.

Trellix with its rich knowledge of cyber threats and Threat Hunting can assist clients with building out a Threat Intelligence program. According to the organization’s needs and maturity level Trellix can assist with all aspects of the program including People, Process and Technology. To seek out threats proactively an organization requires information on threats where the data is accumulated, filtered, analyzed and shared via Threat Intelligence. Some of this intelligence can be acquired through cybersecurity tools that provide the service and subscriptions to Threat Intelligence providing organizations such as an Information Sharing and Analysis Centers (ISACs). As part of our Threat Intelligence Services, Trellix Advanced Cyber Threats Services team can build a Threat Intelligence Program for the organization that can receive disparate, raw threat intelligence data from various sources, cleanse it, sort it, give it proper context and make it actionable for the organization through the use of tools and threat analysts’ workflow. Having Threat Intelligence pertinent to the organization and performing routine Threat Hunts is vital when monitoring a dispersed network for breaches and data exfiltration.

Our services include performing a Gap Assessment to evaluate where the organization is at present in terms of Threat Intelligence services and then building out a mature Threat Hunting program. This includes documenting all the processes and procedures of the Threat Intelligence and Threat Hunting life cycle. The Trellix team can also share Threat Intelligence reports with the client in an ongoing manner that has information on threat vectors relevant to the organization, their region and their sector. These reports share information about known threat actors along with their tactics, techniques and procedures (TTPs). The threat analysts can use this data to understand the risk to the organization and how a breach might occur. They can then go on to secure the environment while hunting for specific threats in the network.

What does the program include?

Our program covers building the expanse of the Threat Intelligence gathering and Threat Hunting process from start to finish and includes interviews with key personnel and review of all operational documentation. The key goals during the engagement are to answer some of the following questions:  What is the status and state of the current Threat Intelligence team and processes? Could they be more effective? We as Trellix consultants will call upon our expertise and experience of SOC operations, Incident Response and Threat Intelligence to share advice for both current and future Threat Intelligence Program operations.  Below we mention the 3 phases of the program along with their description.

Key Areas Covered in 3 Phases:

• Gap Assessment –
  
  To start off the Threat Intelligence program build process, we have to first understand the maturity of the present-day program if it exists. To accomplish that the project is led with a gap assessment of the overall Threat Intelligence program. In this gap assessment we aim to review all relevant documentation of the program, interview all the stakeholders and assess the processes being followed and tools that are in use. Both the Threat Intelligence gathering process and the Threat Hunting process are put under scrutiny and reviewed against best practices. If the organization must be compliant with specific local or international regulations, comparisons are drawn with the regulations and existing Threat Intelligence program to assess the gaps. Once the assessment is complete a Gap Assessment report is created with recommendations to bridge the gaps. Following are the steps performed for the Gap Assessment -
  
  • Review existing documentation in the Threat Intelligence Program
  • Review existing tools and processes in the Threat Intelligence Program
  • Identify gaps present in terms of threat intelligence and threat hunting
  • Report on gaps with recommendations to bridge gaps pertinent to people, process and technology


• Threat Intelligence Program Build out –
  
  Once the Gap Assessment is completed, we aim to have a thorough understanding of how the organization can work with their present-day processes to build out a mature Threat Intelligence program. Depending on the organization, their sector, their region and their maturity level, a customized plan is developed to build a Threat Intelligence Program. This plan includes improvements in regard to people, process and technology. Multiple workshops and trainings are provided to the Threat Intelligence Analysts to teach them about gathering Threat Intelligence and conducting threat hunts in a routine manner. This includes building a threat intelligence profile for the organization on their threat intelligence platforms and linking the platform to the existing security operations tools. We also provide training to use open-source tools and curate threat intelligence reports to educate the security team. Documentation is created for each part of the program i.e., an overall Threat Intelligence Process document, reporting forms and templates, standard operating procedure, service catalogs etc. There are trackers built to track the key performance indicators (KPI) of the Threat Intelligence Program too. Following are the steps taken to build a Threat Intelligence Program -
  
  • Create a customized plan for the organization to build their Threat Intelligence Program taking into consideration the maturity level, sector, region and regulations involved.
  • Create and update documents in the Threat Intelligence Program e.g., Threat Intelligence Process document, Standard Operating Procedure, Service Catalog, Reporting templates etc.
  • Train threat intelligence analysts with hands on workshops and training.
  • Integrate threat intelligence processes with other parts of cybersecurity i.e., incident response, vulnerability management, red teaming.


• Ongoing Threat Intelligence services – 
  
  Once the Threat Intelligence Program is built the analysts will require ongoing intelligence to curate their threat hunts. We provide ongoing Threat Intelligence in the form of monthly or quarterly reports which is part of the Threat Intelligence Services. This report is based on the organizations custom threat profile and is built with their region, sector, and maturity in mind. These reports created by the Threat Intelligence Group at Trellix ensure that the organization can stay one step ahead of adversaries and conduct informed hunts across their organizations. Following are the steps taken to perform ongoing Threat Intelligence Services.
  
  • Build a custom threat intelligence profile for the customer using Trellix and other proprietary tools.
  • Provide custom, contextualized threat intelligence reports to the customer in a monthly or quarterly basis.
  By going through the process of building a Threat Intelligence Program, an organization not only ensures additional security for their environment, this build out also helps produce trained threat intelligence analysts who will be working with pertinent threat intelligence that has been configured especially for the organization to receive. Organizations can also stay ahead of the curve when defending themselves against newer attackers by looking out for tactics, techniques and procedures that are shared through threat intelligence. Some further benefits are also highlighted below -

Benefits for the Organization - 

• Find out what gaps exist in your environment in terms of threat intelligence and threat hunting.
• Recommendations based on best practices, industry standards and real-world experience.
• Build a mature Threat Intelligence Program in phases following the customized plan.
• Document all the processes and procedures required for the program.
• Train analysts for optimized and proactive threat hunting.
• Meet regulatory and compliance requirements.
• Receive ongoing, custom, and actionable threat intelligence specific to your organization and environment.

Amongst next steps, organizations can choose to perform cyber threat simulations and purple teaming to ensure the processes put in place are improving the security posture. Organizations can also seek to better train their analysts through a weeklong Threat Hunting course led by the Advanced Cyber Threat Services team. For the program to be successful, the Threat Intelligence process will need to be maintained and updated routinely with changes in the organization including new tools or processes.