How to build a threat intelligence program that works

Malicious emails were nominated as the number one concern in the ACCC’s latest Annual Cyber Threat Report, with cybercriminals using phishing attacks to obtain initial access to networks after tricking recipients into clicking on a malicious link or attachment. In 2020 alone there were 44,000 reports of phishing activity, representing a 75% increase during the pandemic.

Organisations are responding to heightened risk by implementing threat intelligence programs. But to get the most value out of their security investment, the approach to threat intelligence needs to shift from gathering information to taking action.

What is threat intelligence and what are its benefits?

Threat intelligence is a way to identify and mitigate sophisticated email-borne attacks that can do serious damage to an organisation through phishing, identity theft, impersonation, and malware. The technique combines data sharing and up-to-the-minute-knowledge of emerging security challenges to stop mail attacks before they can breach defences.

Threat intelligence is a great way to get a broad view of your current threat environment. That information can be invaluable for shaping email threat protection measures such as spam checkers, email virus checkers, URL protection that identifies potentially malicious links in emails and blocking/rewriting them to prevent users from downloading malicious content. Emails are also scanned to identify potentially weaponised attachments or attempts at impersonation.

While this sounds great in theory, in practice, threat intelligence comes with several challenges:

• As a rule, cybercriminals can operate and react much faster than the organisations they target.

• Typical threat intelligence/security audits only provide a security snapshot of a moment in time. This approach is inadequate when the threat landscape evolves literally by the minute.

• Aggregating and managing multiple cyber threat intelligence feeds can quickly snowball into a confusing (and expensive) process.

• Many organisations take a compliance-led approach that fails to translate information into action.

While these are real concerns, that doesn’t mean they can’t be managed. There are many strategies to ensure threat intelligence is up-to-the-minute, contextual, predictive, and actionable. Here’s how you can make sure your threat intelligence programme delivers the best outcomes.

Get up-to-the-minute threat intelligence

Millions of threats are launched by tens of thousands of cybercriminals per year. These attackers are adept at rapidly adjusting their techniques and modes of attack, moving much faster than organisations because they are unencumbered by red tape. One of the most effective ways to leverage threat intelligence is to partner with a reputable threat intelligence provider. They have their fingers on the pulse of trends in email-borne cybercrime, have the capacity to analyse threats at scale and can move fast to update your defences and block attacks.

Make sure your threat intelligence has context

Contextual intelligence means combining the basic data analytics generated by your internal security tools, such as firewall logs, with external threat intelligence data. This will enable you to contextualise the two data streams in terms of the latest security risks and give you visibility into how these threats relate to your organisation. While that means you’ll need a system to do this (or engage an external partner who can), having contextual threat intelligence will help you to:

• Prioritise security measures for different business-critical assets

• Communicate information on the biggest security risks in language decision-makers understand

• Move from tactical firefighting to a strategic approach to security, freeing up your resources

Strategic threat intelligence can also help guide the allocation of budgets and resources on key cybersecurity issues.

Leverage predictive intelligence to reduce the risk of attack

While traditional threat intelligence involves historic analysis of who was behind an attack, analysing post-breach information does little to protect from the next threat. A predictive approach to threat intelligence identifies an organisation’s vulnerabilities and an attacker’s most likely targets, then recommends actions to strengthen their protection. For example, employees who regularly click on suspicious emails and links can be identified and educated to minimise the likelihood of future breaches.

Make sure your teams are positioned to act on threat intelligence

Effective threat intelligence programs do not just generate alerts; they translate information into action. A good threat intelligence programme should be able to inform the decision-making around preventing, detecting, and responding to attacks. One way to achieve this is by arranging intelligence into easy-to-understand charts or live dashboards. The most pertinent information should be identified, and recommendations should be made outlining priorities and potential courses of action. The information on these dashboards should point decision-makers towards pre-defined procedures, like a ransomware response or patch management.

Threat intelligence is only as good as the actions taken in response to the data. It takes a skilled and well-resourced team to make the best use of the insights threat intelligence reveals, and to translate those insights into stronger cybersecurity.