What is "Actionable" Threat Intelligence?
Since there is no standard industry definition of threat intelligence, not everyone defines it the same way. As a result, the term threat intelligence is so broadly used in the security industry that the true definition of "intelligence" is sometimes lost. Some threat intelligence services being offered in the market today are not offering true intelligence at all - they are simply offering access to minimally analysed (or even raw) data. As noted intelligence expert Wilhelm Agrell famously stated, "When everything is intelligence, nothing is intelligence."1
The challenge for many organisations in a world of ‘big data’ is distilling vast quantities of information from various sources in a way that can be analysed, and then ensuring that the analysis can create intelligence that is actionable.
DEFINITION; actionable intelligence (WhatIs.com)
Actionable intelligence is information that can be acted upon, with the further implication that actions should be taken.
An effective threat intelligence program can be defined as actionable when it allows the organisation to:
- understand threats, threat actors and their capabilities;
- identify risks before they’re realised;
- learn where exposed data may be lurking;
- mitigate attacks more effectively and;
- determine countermeasures and controls.
Building an Actionable Intelligence Program
When threat intelligence is understood and utilised properly, organisations can realise great value. The basis of a being able to deliver an actionable threat intelligence program requires three things:
- Clear goals
- The right information
What is most important to you?
This foundational element of a threat intelligence program is about building out your organisation’s individual Priority Intelligence Requirements (PIRs): What are your threat intelligence goals? What threats/actors/exploits/leaked information are you looking for? What does your organisation most need to protect?
PIRs must provide situational awareness into the threat landscape and help feed the business’s overall strategic goals. It’s particularly important that PIRs be evaluated constantly, as the business grows, and as the threat landscape evolves. Neither side is static, and therefore a set-it-and-forget-it mentality will turn your threat program into a wasted effort.
What information do you need?
You haven't got the time to look at all the sources of information that are available, you need to be able to decide which sources are going to provide you with the information you need in line with your PIRs and validate and apply confidence ratings to the usefulness and accuracy of those sources. A data source that supplies smoke and mirrors won’t help you achieve an improved risk posture.
At this point, you need a human. A real-life analyst, to be asking: Does the data support our PIRs? Is it useful? Is it actionable? Asking these questions allows the analyst to verify, remove false positives, add context and ultimately prepare recommended actions around emerging threats.
Who needs to know?
What is the greatest deterrent to effective actionable cyber threat intelligence? Siloes. An effective threat intelligence program includes a strategic approach to collaboration and information sharing. I am not simply referring to the sharing of CSVs of IOC (Indicators of Compromise) to internal security teams, but the dissemination of actual human-readable information briefs.
There are many different groups within an organisation and those different groups are better served by having the information represented in a different manner. Some technical groups could use threat intelligence to configure internal security infrastructure to passively detect new cyber threats, whereas abbreviated, impactful, targeted content that may reveal new specific business risks may help inform executive leadership’s decision-making.
When looking at your communications model for your program, you need to be asking: What type of information would help enhance my organisation’s awareness and prioritisation? How best should I transmit that information? What type of information is applicable to which audience?
The end-game: Prevent, disrupt, and respond
The aim for any organisation when building a threat intelligence program, should be to move from a reactive state to a more proactive approach — to be able to get ahead of cybercrime. The use of intelligence data must go beyond simply blocking an attack before it can breach the network. The objective must include disrupting its ability to achieve its desired goal, which means your threat intelligence program and systems needs to provide actionable intelligence.
Find out how you can stay one step ahead with a real-time view of your organisation’s digital risk with tailored cyber threat intelligence.