7 universal rules of threat intelligence

Threat intelligence is now available that allow companies to stay one, or even a few, steps ahead of hackers.

1 threatening


Cybersecurity is a heroic task. Every day, businesses and organizations face an onslaught of attacks from malicious actors across the globe. As part of your organization’s cybersecurity efforts, it is your job to not just catch these attacks as they happen, but try to mitigate threats and prevent them before anything occurs.

No matter what type of threat intelligence you choose, there are a handful of good practices that any company can practice. Open source information, available freely on the web, can help companies anticipate and prepare for future attacks.

Recorded Future goes over the seven universal rules of threat intelligence – what you should be doing no matter what, whether you use a platform or not.

2 google

Rule #1: Google it

Google may not explore the “deep” or “dark” web, but it’s still incredibly useful. We all use Google on a daily basis, and there should be no exception for cybersecurity. There is plenty of chatter and intelligence generated every day that we can learn from. After all, most data is generated online. You’d be surprised at how much a company can stay ahead of the curve by just using an open web search engine. It’s no replacement for a dedicated threat intelligence provider, but it can’t hurt.

3 learn

Rule #2: Learn from others

It’s true that we’ve entered uncharted territories with the scope of attacks and breaches. However, one upside to this spike in activity is that it gives us an excellent chance to learn from others in order to be better prepared. Cybersecurity is currently in its “wild west” phase and, the more we are able to learn from other attacks and hacks, the better prepared we will be.

Instead of just acknowledging that a breach occurred with another organization – look into it in detail. How did it happen? When did the first clue drop? How did the attacker get into the network? The more you study ongoing attacks, the more prepared your team will be for one.

4 github

Rule #3: Check Pastebin and GitHub

Pastebin and Github can be a major thorn in the side of many security teams. Personal information, passwords, and other sensitive information show up on Pastebin frequently as it is one of the world’s most popular text sharing websites.

Github, as the world’s biggest code repository, comes with its own set of problems. Anyone can upload source code regularly, which could include either your own stolen proprietary data, or code to exploit vulnerabilities in your systems. Monitor both of these sites regularly so that you can take appropriate action.

5 chat

Rule #4: Check the chatter

Many major attacks or breaches are talked about, out in the open, prior to the event itself. For example, TalkTalk’s major breach in 2015 had a significant amount of chatter building up to the actual attack. Some of this chatter will be out on the open web; some will be on the “deep” and “dark” web. Either way, paying attention to what hacking groups are talking about will keep your team alert and more prepared for any potential security issues.

threat intelligence

Rule #5: IOCs are your friend

Your team should always have indicators of compromise (IOC) at the top of mind. Geographical irregularities, strange IP addresses, strange activity or high spikes in traffic can all mean that an attack is occurring or a breach has happened.


This is somewhat effective on a manual level, but to keep up with the scope and nature of attacks, it is best to utilize a threat Intelligence provider. Some providers are able to use machine learning to flag these events in real-time, which can mean the difference between stopping an attack in its tracks or having to clean up after it.

7 ttp

Rule #6: Know your TTPs

Put yourself in the mindset of an attacker; What are your network’s vulnerabilities? What are the top attack routes? Analyze this first on your own, and then by looking at your adversaries’ own tactics, techniques and procedures (TTP). Since much of this information is freely available and discussed on the internet, your team is able to get in the mindset of the potential attackers. By preparing for all your nightmare “what-if” scenarios, your team will sleep safer at night and be able to do their job more effectively.

8 anything goes

Rule #7: Know That Anything Goes

It’s important that your team is flexible and open-minded when it comes to your organization’s security threats. While many attackers will operate with similar patterns and TTPs, some will not. A good rule of thumb is to not rule out any possibilities, no matter how implausible, without a proper investigation first.

Head to our Facebook page to comment.

Copyright © 2017 IDG Communications, Inc.

Related Slideshows