Threat Intelligence for Small Organizations
Many smaller organizations aren’t sure where to start with threat intelligence; it may seem like the kind of maturity reserved for large organizations. Threat intelligence is a proactive cybersecurity strategy focused on collecting information about current threats, analyzing it, and using that information to identify and mitigate threats within the network. It’s approachable even for smaller organizations that don’t have the resources for novel research and analysis.
How can I get started on threat intelligence?
- Many organizations, like the Cyber Threat Alliance (CTA) and some government agencies, provide free threat intelligence resources and alerts. In some cases, these can be provided as flat files to import into a firewall or other security appliance for automated blocking. Small organizations can utilize a larger pool of skilled resources for fresh threat intelligence.
- When possible, use automation to handle data collection and analysis tasks, freeing up limited security resources to focus on more skilled tasks.
- Stay current on information security threats by reading news, blogs, and reputable social media sources. Focus on threats specific to your industry; the threat landscape can vary depending on the industry.
What do I need to take advantage of threat intelligence?
- Skilled personnel – Security practitioners should have the expertise to review threat intelligence and understand what it means and the impact of the threat to their organization.
- Threat feeds – The security team needs access to the latest threats, vulnerabilities, and attacker TTPs (Tactics, Techniques, and Procedures). Threat feeds can help create hypotheses and guide investigations.
- Comprehensive data sources – To compare threat intelligence with the organization’s landscape, it’s important to have visibility to data, network traffic, and log sources. A SIEM can help aggregate, analyze, and alert on security events.
- Incident Response Plan—Threat intelligence may uncover unidentified incidents within the organization. The organization should initiate the incident response plan when these incidents are discovered.
- Forensic and Analysis Tools—If an organization opts to research its own threats, it may need sandboxes or other analysis tools. Some of these tools are free, and others are proprietary and/or subscription based.
Threat intelligence feeds
Most organizations do not have the resources to generate their own custom threat intelligence, but they want up-to-date information and indicators from threat intelligence. These organizations can take advantage of threat intelligence feeds.
Some threat intelligence feeds are part of a subscription to premium services, like FortiNet’s threat intelligence feeds, which integrate into their firewall appliances.
Community-run, crowdsourced, or nonprofit organizations also use threat intelligence feeds. Examples include AbuseIPDB (abuseipdb.com), Honey DB (honeydb.io), and CISA’s Automated Indicator Sharing (https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sharing-ais).
Sedara also has a threat intelligence feed with limited data collected from daily operational work and analysis. This list integrates with FortiGate and Palo Alto firewalls. If you want to learn more about Sedara’s threat intelligence feed and related services, please complete the form and our team will contact you.
Learn more about how Sedara can help you with your end-to-end cybersecurity services with managed detection and response services.
Learn more about what MDR is in our blog, What is MDR?