Five things to consider before building a threat intelligence program

Threat intelligence isn't easy, but there are some things and organization can do to get a program started

threat intelligence

Rebekah Brown, threat intelligence lead at Rapid7, recently sat down with Salted Hash to discuss the basics for building a threat intelligence program. It's a serious task, one that will take time and plenty of resources to accomplish. Even then, once the program is up and running, more time and resources will need to be dedicated to its care and maintenance.


Decision makers need to be on board with the process. Even with perfect execution, an organization cannot achieve real success or impact with their threat intelligence program unless they have buy-in or support from leadership.

"Make it as simple and relevant for them as possible; don't overwhelm them with technical details and scary-sounding possibilities that aren't very likely for your organization," Brown said.

Resources like the Verizon DBIR and other high level, strategic reports help illustrate the point that different sectors and organizations face different threats, Brown added.

The point is to get business leaders to understand that threat intelligence can help the company focus their security efforts on the threats that have the highest likelihood and highest impact.

When it comes to the pitch, both IT and InfoSec management (assuming the roles are split) should be the ones talking. Threat intelligence programs can support operations across the board, from augmenting security functions to keeping the systems up and running.

"Threat intelligence can help security teams operate more efficiently, and help IT managers understand the threats to the systems they have in place and contribute to planning for what new systems should be introduced," Brown said.


There needs to be a mixture of expertise that can build the threat intelligence program, set the strategy, and do the analysis of the threats facing the business.

Building and implementing are usually, though not always, two different skill sets, Brown said.

"Building a program, especially a new function like threat intelligence, is not an easy task. It includes things like defining the strategy, working with other teams within the organization, and hiring the necessary personnel."

The builders will need to understand the business needs of the organization, but also the nuances of threat intelligence so that they can shape and direct the program at all levels, strategic through tactical.

"In addition, it is important to have personnel who can understand the technical details of threats, things like understanding the TTPs of threat actors and how to identify or create alerts for them, and knowing the kill chain and how to identify where a particular threat is along that spectrum," Brown added.

"It is also very important to individuals in these roles to understand when a threat doesn't impact them in order to avoid propagating a lot of FUD. Threat Intel should be helping to save time and energy by focusing on true threats, and in order to do that, an organization needs people who know what those true threats are."

If the staffing doesn't exist in order to fill these roles, the company might have to hire them in some cases. But it's also possible the individuals who would fit the role were there all along, they just needed that extra push.

"Once an organization has some sort of security function in place, they can start to utilize basic threat intelligence. Generally speaking, SOC analysts, incident responders, security architects, and several others can all read the many public reports on various threat actors and start to assess whether that threat is a potential risk to their organization," Brown said.

"These professionals may also have relationships in sharing communities, formal or informal, where they're exposed to threat intelligence, they just need to develop internal processes or capabilities to act on it. Even if the threat intelligence they receive is occasional or incidental, it can still benefit the work they are already doing. Essentially, these exercises can become a framework for building more advanced capabilities."

Moreover, a company could invest and put a candidate into a threat intelligence training program, which can help develop skills in threat research, analysis, and reporting.

But, if the company honestly looking to build a new function, it's going to take someone with experience, and that's no easy task, because some of the most experienced people are already gainfully employed. Again, it isn't easy to find them, but those with experience are out there.

"There are security companies who can help with program development and can help guide an organization through the process, but having someone who understands the business priorities is critical -- no one else can tell an organization what information is most important to them," Brown added.

Understand typical user behaviors in the environment:

Understanding a user's typical behaviors and usage is essential, but if a clean base can't be established; any monitoring performed will be compromised. Therefore, it is critical to assess whether or not the organization has positive control of the environment prior to setting baselines.

"Conducting a compromise assessment prior to beginning any sort of baselining activity is a good idea. It can take several months to get a good understanding of what is typical user behavior, and it is not something that can be determined overnight," Brown said.

Typical baselines include when and where a user typically logs on; whether they usually download a lot of new software; or what other devices they typically access. All of these are behaviors that could be normal, and therefore attackers will try to emulate them.

"You have to know your own users better than the attackers do so that you can pick up when something is off - even just slightly off. On the other side, this also helps reduce false positives and keeps organizations from limiting their users unnecessarily. It all comes down to knowing yourself and your business."


Not only does this include knowing what is going on the network, but also the ability to look back at previous logs.

"A lot of technical threat intelligence is useless if you don't have the ability to identify whether it has been seen in your environment or take some sort of action to block or alert. It is important to capture network and endpoint logs because in many cases the endpoint is critical in determining the extent of a threat, as well as reducing false positives from network-based indicators, which are much more perishable than endpoint indicators," Brown sad.

Determining the type and scope of the most valuable logs is something each business has to do for themselves, there is no universal rule or single set of basics here.

The most important logs will likely be those centered on critical systems, such as those hosting debit and credit card data, health records, financial data, corporate IP, customer records, etc.

"Logs from critical servers or other sensitive resources are also very important. Basically, if you want to be able to answer any questions about whether or not a system was accessed or potentially compromised, you need to make sure that you have logging in place to answer those questions."

If a log retention policy doesn't exist, make one. Usually, the minimum is 90-days, but as last breaches have shown, compromised networks were found and the logs had long since rotated off the drive. If space isn't an issue, then storing logs for upwards of 200 days isn't a bad idea.

Capture information from the network, analyze it, and turn it into intelligence:

"Responding to and capturing information on your own incidents is the best threat intelligence you can ever gather," Brown said.

"Predictive analysis is certainly more appealing to most people, but the analysis done on an actual event in your network will help you not only respond the threat, but also improve the models you are using for analysis."

Some ways to gather this data:

  • Good old fashioned Incident Response
  • IDS/IPS and email filters that show attacks that were blocked.

IDS/IPS alerts are often ignored because they indicate an attack was stopped, but if there was a motivated attacker behind those attacks they're using their failures as lessons learned to attack you better next time.

“If we have the options to also learn from our attackers failures we should take those opportunities, otherwise we are going to be learning from their successes,” Brown said.

  • Reporting by employees of suspicious emails, pop ups, social engineering attempts, and other information that may have been missed by technical means

In addition, Honeypots or Honeynets can be used to gather even more information about attacker behaviors, including new tools or tactics they are using or testing out to get around current security measures.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)