The Value of Curated Threat Intelligence

Leveraging the Power of Cyberthreat Intelligence to Improve Cybersecurity

Cyber Threat Intelligence

Curated threat intelligence takes raw threat data from various sources and selects, validates, and organizes it into a structured and actionable format. This intelligence gives insight into threat actors' activities and tactics, techniques, and procedures (TTPs) to help improve an organization's cybersecurity posture.

Improving security posture with up-to-date threat data is a key component of any security stack. This enables automated blocking of known threats and more to ease the workload on security teams while keeping the network more secure. Curated threat intelligence can also be used in multiple areas of a broader cybersecurity strategy. For example, it can block known malicious IP addresses from accessing the network, aiding in both intrusion prevention and distributed denial-of-service (DDoS) protection.

Curated threat intelligence has several key features that make it especially valuable to organizations:

  • Higher quality and accuracy: With thorough vetting and verification of the data, curated threat intelligence has fewer false positives and is more reliable.
  • Focused relevance: Instead of a broad focus, this type of data is focused on key threat behaviors to ensure it is specific to an organization's needs with reduced noise.
  • Enhanced context and enrichment: Curated threat intelligence goes beyond basic indicators to provide valuable context to drive further action. This improves understanding of threats, their motives, and more.
  • Actionable: Because it is preprocessed and organized, it is ready to use as it is fed into cybersecurity solutions including security information and event management systems (SIEMs), firewalls, intrusion detection systems (IDS), and more.
  • Continuous improvement: The data is dynamic and evolving, adapting to new threats and constantly being updated with the latest threat intelligence.

Types of Threat Intelligence

There are four key types of curated threat intelligence, each with its own focus and contents:

  1. Strategic threat intelligence: Focuses on a high-level, broad overview of the threat landscape. This includes long-term trends as well as threat actors and their motives. This level of threat intelligence analyzes geopolitical and economic factors influencing cyberthreats, implications of business decisions, and potential long-term risks.
  2. Operational threat intelligence: Looks at specific cyberevents, campaigns, and incidents, including attacker TTPs, affected systems, and actionable recommendations. This provides insights into attacker motivations, methodologies, and objectives as well as specific attack vectors and potential impacts.
  3. Tactical threat intelligence: Primarily focused on specific TTPs, including indicators of compromise (IoCs). Includes technical details on attack tools, detection signatures, vulnerabilities exploited, and remediation workflows.
  4. Technical threat intelligence: Raw data and IoCs, such as IP addresses, file hashes, URLs, and domain names. Contains technical indicators of malicious activity that can be consumed directly by security tools.

Blending multiple types of curated threat intelligence has several benefits and is an important aspect of leveraging it. Curated threat intelligence can provide insights to different audiences based on their roles in the process. For example, strategic threat intelligence's broad view is great for CIOs and CISOs to help guide the holistic security strategy for the organization, while tactical threat intelligence is more valuable to practitioners who are in the details of the data on a day-to-day basis.

The Threat Intelligence Lifecycle

The threat intelligence lifecycle follows a structured and iterative process. It includes six steps to improve an organization's security posture:

  1. Planning and direction: Defines the scope, priorities, and objectives of the threat intelligence program. This includes identifying key stakeholders, determining what assets and data need protection, establishing priorities, defining intelligence gaps, and assessing current threat intelligence sources for improvement opportunities.
  2. Data collection: Gathering data and information from a variety of sources, both internal (full network packet capture, IoCs, logs, incident reports, and more) and external (honeypots, threat intelligence feeds, social media, industry forums, dark web sources, and more), to build a database for use as curated threat intelligence.
  3. Data processing: Organizing, standardizing, and enriching the collected data to make it suitable for analysis. Includes data normalization, enrichment, correlation and aggregation, triage, filtering, tagging, and more.
  4. Analysis: Analyzing processed information to understand threats and develop actionable insights. Looks at threat actor profiles, behaviors, and potential impacts while identifying intelligence gaps and generating recommendations for mitigating threats and improving security.
  5. Dissemination: Sharing analyzed intelligence with stakeholders for action to be taken. Tailoring intelligence for different audiences is key, making sure the right people have the right details to ensure that the proper next steps are taken.
  6. Feedback: Process review and improvements based on learnings and feedback.

Leveraging artificial intelligence (AI) and machine learning (ML) to automate processing, compilation, and other key steps in the threat intelligence lifecycle can expedite the time to value. This automation helps minimize human interaction with raw data, leaving more time for analysts and other security professionals to analyze and interpret the valuable insights the data provides.

Importance of Curated Threat Data

Curated threat intelligence allows organizations to directly address the challenges of managing and utilizing massive amounts of cybersecurity threat data. There are several reasons organizations may see value in leveraging it:

  • Enhanced accuracy and reliability: Validating and verifying the data improves the efficiency of investigations due to a reduction in false positives and other issues stemming from inaccurate or outdated raw data.
  • Reduced noise and improved focus: Curating threat intelligence data filters out irrelevant, low-quality, and duplicate data from the vast amounts received in a raw format. This allows security teams to focus on the most pertinent and actionable threat intelligence.
  • Improved prioritization and resource allocation: The context and insights provided help teams prioritize actions. This intelligence gives details on the severity and potential impact of threats, empowering security teams to focus on the most dangerous threats based on a combination of factors.
  • Faster incident response: Having the right data makes decision-making faster and more efficient. This leads to reductions in response times, helping solve breaches and other threats faster.
  • Actionable insights for proactive defense: Understanding the enemies helps teams get ahead of them. With known threat indicators and patterns, teams can proactively improve defense strategies or practice cyberthreat hunting to find and remove adversaries.

Practical Applications in Cybersecurity

There are several ways that curated threat intelligence can be used to benefit cybersecurity, including processes, intelligence, automation, and more:

  • Security operations: Enhancing threat detection analysis leads to operational efficiencies for security teams. This enables them to work more effectively and faster thanks to improved security controls such as firewall rules or IDS configuration, leading to an overall stronger security stack.
  • Threat hunting: Proactive advanced threat detection can help security teams discover, track, and remove threats faster than ever. These processes can be fine-tuned over time to further increase efficiency. Threat hunters can leverage curated cyberthreat intelligence feeds to search for anomalies and patterns consistent with known advanced persistent threats (APTs) or other sophisticated attacks.
  • DDoS protection: Having insight into known botnets, malicious IPs, and other attack sources can help automatically block DDoS attacks. This automated mitigation helps keep networks, services, and applications available to users, improving operations, customer experience, and more. It also prevents reputational or financial damage tied to key services becoming unavailable.  
    •    Vulnerability management: Understanding threat motives and TTPs can greatly improve the vulnerability management process. This empowers teams to prioritize patches based on need and immediate danger thanks to strong, actionable data. Automated patch management helps improve workflows and can leverage AI/ML to prioritize which patches should be done first with minimal human interaction. 
    •    Incident response enhancement: By expediting threat identification via context-rich alerts and IoCs, incident response teams can improve triage by prioritizing alerts based on severity and potential impact. Efficiency can also be improved by the quality and actionability of the data provided to security teams, ultimately removing threats faster and more effectively.

Building an Effective Cyberthreat Intelligence Program with NETSCOUT

NETSCOUT provides and leverages its ATLAS Intelligence Feed (AIF) in many products to automatically block known threats. Powered by AI/ML and industry-leading visibility into the world's internet traffic, AIF goes above and beyond to automatically block threats, including most DDoS attacks. Leveraging this vast, actionable curated threat intelligence in your security stack can help keep your networks secure and services available.

Learn more about how NETSCOUT utilizes AIF for cybersecurity and DDoS protection.