If you want to get value from threat intelligence, learn to focus on the important stuff

Interested in learning more?

Click here to join our membership site wait list.

 

With the numerous security blogs and news outlets (probably too many) not to mention paid threat feeds you can subscribe to, how do you stay on top of relevant security news and for that matter, threat intelligence?  One way might be to limit yourself to a few podcasts and follow a couple of trusted blogs. Personally, I haven’t found that to be an effective way of staying current on cyber threats and developments in cyber security. Limiting the number of sources you review certainly reduces the amount of time you spend on the process. But it almost certainly reduces the amount of information you are analyzing, which means that over time, you will end up missing critical posts.

Just for the sake of clarity, I am equating the process of staying current on threats and developments in cyber security with consuming threat intelligence, or at least it’s part of the larger whole of what is commonly referred to as threat intelligence.

Areas of focus

So what’s my method? Before I get into that, let me break down what the categories I think are important to stay current on, in no particular order.

  1. New tactics, techniques and procedures (also known as TTPs) that bad actors are using. This might include new malware techniques, new technology platforms being targeted, or just tweaks to existing TTPs. This also includes areas where researchers are discovering new TTPs. Even if the bad actors aren’t using them yet, they probably will be soon.
  2. Breaking news including incidents, breaches, or new vulnerabilities found. This is a tricky topic because most news outlets only provide superficial details. It’s important to find the sources that provide as much detail as is publicly available.
  3.  Geopolitical news such as tensions in a region, or new goals and strategies communicated by nations and their leaders. Why is this important? When nations take an aggressive stance, companies doing business with perceived enemies can become collateral damage. Another example is China’s updated 5 year plans which are frequently followed up by targeted intrusions that help that country achieve its stated goals.
  4. Technology applications in areas such as IoT and Industrial Control Systems (ICS). These technology areas can add attack surface to your environment or risk through collateral damage. For example, IoT devices being used to launch DDoS attacks against your environment or your clients’ or your business associates. Also think of ICS devices being connected to the Internet.
  5. New strategies and tools that other security teams are using and you aren’t. While this isn’t exactly threat intelligence, it certainly fits with the workflow of following trends and taking action. In that sense, this is a perfect fit for the practice as you stay current on trends and learn from other people’s successes.
Sifting through the chaff

I find the most efficient way for me to stay on top of these 5 categories is by using Feedly, and I have over 160 sources set up across a few “feeds” as Feedly calls them. I also use Feedly’s Boards as a placeholder for posts I want to read more in depth. Another added benefit, I can also share those boards with colleagues. Why so many sources you ask? One reason is that many sources are threat researchers and incident investigators. By the nature of the work, researchers and investigators only see the cases they are working on. Unfortunately, there is one unifying research or breach investigation body where you can tune in and learn about the latest issues. Therefore, you have to follow as many of these teams as you can if you want to stay current on what they are all seeing. But keep in mind that many of these blogs are only updated every few few days. Still, it is a commitment of time and focus. But once you start working with a system, you can become more efficient checking the daily updates. I also find that my system helps me stay consistent and I’m less likely to forget to check a particular source.

If you’re still not convinced you have the time, patience or skills to stay current on the categories I outlined above, I would suggest you take a look at our Developing Enterprise Threat Intelligence course or contact us about getting set up to receive regular threat briefings.