Action Counts More Than Intention: Make Threat Intelligence Actionable

By PRODAFT Team on October 30, 2023
Action Counts More Than Intention: Make Threat Intelligence Actionable

The more you know about your organization’s unique risk profile, the better equipped you are to protect it.


Threat intelligence has an important role to play in incident response. Deciding whether to escalate a security event to a security incident requires context that isn’t always readily available.


Analysts rarely see hackers loudly calling attention to themselves, telling them that the network is compromised – until it’s too late. Most of the time, early-stage cyberattacks come with much more subtle indicators of compromise.

It may be an unexpected connection to an external asset based in a foreign country. It could be an unknown executable running unauthorized scripts. In a credential-based attack, it may be an authorized login coming from an unusual device or location.

These are not “aha!” moments. They’re better described as “that’s odd…” moments. 

Blocking an unauthorized connection or terminating an unknown process doesn’t necessarily stop the attack. In most cases, it simply delays threat actors from achieving their goals. To do more, you must know more.


Threat Intelligence Contextualizes Security Events

Successfully mitigating early-stage cyberattacks requires deep insight into how threat actors plan on carrying them out. Comprehensive threat intelligence provides the context security professionals need to predict their adversaries’ attack patterns.


This context is one of the most important tools incident responders have in their arsenal. It can provide a wealth of information about the attack itself, as well as the threat actors behind it.


Here are just a few examples of the kind of insight incident responders can leverage using threat intelligence:


  • Indicators of compromise (IoCs): Knowing what kind of attack is taking place enables security teams to check for specific indicators of compromise related to that attack or campaign. This reduces the amount of time it takes to determine how widespread the attack is and what kind of damage may result from it.
  • Tactics, techniques, and procedures (TTPs): Knowing exactly how threat actors work provides key information for building incident response playbooks to mitigate their attacks. If these playbooks are built, deployed, and automated ahead of time, there may be no meaningful business disruption at all.
  • Threat actor motivations: Knowing which threat actors are behind an attack helps security teams identify the attack’s overall goal and scope. This helps incident responders make quick decisions about how to distribute security resources effectively.


But not all threat intelligence data feeds provide this kind of value. In fact, generic threat intelligence data can actually make it harder for incident responders to identify early-stage attacks.

Open Source Threat Intelligence Data Feeds Can Overwhelm the Discovery Process

Many reputable organizations make open source threat intelligence feeds freely available to the cybersecurity industry. These feeds aggregate an extremely large volume of threat data and provide detailed information about them to security professionals.


The problem is that these data feeds include almost every kind of threat, impacting every kind of tech stack. Open source threat intelligence vendors do not curate this data in any way, because that would add to the cost of publishing it. The responsibility for curating this data falls on the user.


In this case, the user is often a security analyst who has just discovered unusual behavior on their network. There is no time to patiently conduct manual queries and identify whether this activity fits a known threat profile, and then conduct additional research to find out if the organization itself is vulnerable to it.


The sheer volume of intelligence data added to these feeds every day makes this approach unfeasible. Security professionals can’t act on this data because retrieving it and understanding it takes too long. Increased volumes lead to more false positives, forcing IT teams to increase their workload without obtaining any real security benefit.


This means that very few analysts actually take the time to conduct threat intelligence research even though they have the data available. The problem isn’t a lack of data, but a lack of context, a lack of time, and insufficient resources to generate value from the data.


Actionable Threat Intelligence Data Fits Your Organization’s Real-World Needs

For security teams to fully enjoy the benefits of actionable threat intelligence data, it must be contextualized for their actual environment beforehand. Instead of looking through hundreds of records to find the one case that applies to their organization, security professionals need that one case delivered to them automatically.


This is even more important for organizations using advanced Security Information and Event Management (SIEM) platforms to collect and analyze security event data. SIEM vendors often charge according to the amount of data used, which can rapidly increase the cost of automated threat intelligence using generic feeds.


What organizations need is a threat intelligence feed that fits their risk profile and contextualizes threats accordingly. Security professionals need intelligence-led data that is verified, timely, and actionable – without requiring additional hours of manual queries on their part.

Log4j demonstrates the importance of network-specific context

The discovery of a longstanding zero-day vulnerability in Log4j shook the global cybersecurity community in late 2021. Immediately after the vulnerability was published, security practitioners around the world began scrambling to find out if they were impacted.


However, the vulnerability doesn’t impact all versions of Log4j. It only impacts versions 2.0-beta7 to 2.17.0, excluding 2.3.2 and 2.12.4. Versions released prior to 2.0 are not impacted.


Security teams that benefit from contextualized threat intelligence can quickly find out which applications use susceptible versions of this logging framework. If the organization does not use the vulnerable versions of the framework, there is no need to include it in the intelligence feed incident responders rely on to contextualize attacks.


If the organization isn’t actually vulnerable to the flaw, threat actors known to exploit Log4j (like Hafnium, Phosphorous, and Aquatic Panda) will not be able to leverage it in their attacks. This information would not be actionable because it doesn’t apply to that specific organization’s security risk profile.

Implement Actionable Insights Your Team Can Use Starting Today

PRODAFT’s 24/7 threat intelligence platform U.S.T.A. consolidates the threat intelligence landscape and provides access to the latest threat data available. But PRODAFT doesn’t just grant visibility into the threat landscape – we filter out the noise that prevents security teams from making use of that information. Request a demo to find out how PRODAFT’s threat intelligence platform can help your organization respond to constantly evolving cybersecurity risks in real time.




Get latest articles directly in your inbox, stay up to date