Cyber Threat Intelligence Program
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
Cyber threat intelligence provides visibility into the threat landscape. Threat intelligence should feed implementation of security monitoring (looking forward) and threat hunting (looking backward). Take action against new adversarial tactics to protect assets such as payments, sensitive data and intellectual property.
I. Threat Intelligence Data Sources
Subscribe to cybersecurity advisories and integrate threat intelligence feeds into SIEM security log monitoring at a minimum.
II. Intake Process
Receiving advisories is only the first step. Each team member may think someone else is addressing an advisory or alert. Therefore, it is necessary to have an intake process to ensure each message is addressed. Here are options:
III. Processing an Advisory
Critically evaluate each advisory, considering whether it makes sense to:
IV. Take action!
Risk exists when controls are not deployed. Stack rank security issues in order of risk priority. Be aggressive when it comes to closing them out. Measure performance of the cyber threat intelligence program with quality assurance and metrics.
If you need cybersecurity program or assessment support, feel free to give me a call.
Click here for more professional development tips
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
Cyber threat intelligence provides visibility into the threat landscape. Threat intelligence should feed implementation of security monitoring (looking forward) and threat hunting (looking backward). Take action against new adversarial tactics to protect assets such as payments, sensitive data and intellectual property.
I. Threat Intelligence Data Sources
Subscribe to cybersecurity advisories and integrate threat intelligence feeds into SIEM security log monitoring at a minimum.
- Mailing Lists - US-CERT
- Alerts: Timely information about current security issues, vulnerabilities, and exploits
- Analysis Reports: In-depth analysis on new or evolving cyber threats
- Bulletins: Weekly summaries of new vulnerabilities. Patch information is provided when available
- Tips: Advice about common security issues for the general public
- Current Activity: Up-to-date information about high-impact types of security activity affecting the community at large
- Known Exploited Vulnerabilities Catalog - CISA
- Reducing Significant Risk
- Catalog
- Subscribe to Email Updates
- Vendor Cybersecurity Advisories (e.g. Microsoft)
- InfraGard (Only available to US citizens)
- Information Sharing and Analysis Centers (ISACs)
- Create a Google E-mail Alert (e.g. Compromised OR breached OR hacked)
II. Intake Process
Receiving advisories is only the first step. Each team member may think someone else is addressing an advisory or alert. Therefore, it is necessary to have an intake process to ensure each message is addressed. Here are options:
- When an advisory is received, assign a team member to process it
- Have a periodic meeting to analyze threat intelligence
- Enter each advisory into a log to ensure it is processed
III. Processing an Advisory
Critically evaluate each advisory, considering whether it makes sense to:
- Implement a hardening security configuration as a preventive control
- Create a new security monitoring alert
- Create an analysis report when it is difficult to create an alert with low false positives/negatives
- Conduct threat hunting activity
IV. Take action!
Risk exists when controls are not deployed. Stack rank security issues in order of risk priority. Be aggressive when it comes to closing them out. Measure performance of the cyber threat intelligence program with quality assurance and metrics.
If you need cybersecurity program or assessment support, feel free to give me a call.
Click here for more professional development tips
