Global information security consultancy, MWR InfoSecurity, has produced a comprehensive new guide designed to provide organizations of all sizes with vendor-neutral advice on how to effectively build and evaluate threat intelligence programs.
The report, Threat Intelligence: Collecting, Analysing, Evaluating, was produced with support from the UK’s Centre for the Protection of National Infrastructure (CPNI) and CERT-UK.
It details everything from definitions of threat intelligence, to the importance of collecting, using and sharing information effectively, and finally provides some quick-win suggestions for organizations.
These include setting up RSS feed alerts from organizations identified as providing useful incident response reports, and identifying where existing internal TI processes might be taking place and how they can be better supported.
Crucially the guide aims to dispel common myths, highlight good as well as bad practice, and break down into various sub-sections all the things currently marketed as threat intelligence: for example, ‘operational’, ‘strategic’, ‘tactical’ and so on.
Principal report author David Chismon, who’s also senior security researcher at MWR InfoSecurity, explained to Infosecurity that too many IT leaders fail to do their research before making purchases.
“The most common mistake is to buy expensive and impressive sounding feeds without first sitting down and working out what the organization needs to know,” he argued. “Intelligence aims to fill holes in knowledge and so unless organizations know what holes they need to fill, threat intelligence can’t provide real value.”
Threat intelligence doesn’t necessarily require huge investments of time and money to be effective, he added.
“By proactively searching for the threats to them and working out how to respond to them, they will be inherently performing ‘threat intelligence’,” said Chismon.
“TI providers will be able to offer general information but for TI to be genuinely effective it needs to be driven by requirements and then actioned, both of which have to come from the organization rather than an external provider.”