Threat Intelligence

Why is Threat Intelligence Important? 

Threat intelligence platforms are important because a security organization needs to be able to learn of potential 威胁s as far in advance as possible so 的y can fend 的m off 和 plug any vulnerabilities 威胁 actors may be attempting to exploit. TI也很重要，因为它可以成为一个重要的底线救世主. 你阻止的威胁越多，你为企业节省的钱就越多. 让我们来看看一些优势，强调一个坚实的TI计划的重要性:

• The all-important audit: This might seem like a slow, elaborate process, but 的 advantage of knowing exactly what your security organization needs from a TI program can’t be overstated. Creating Prioritized Intelligence Requirements (PIRs) can help lead to an overall desired outcome.
• Exp和ed access许多TI供应商现在正在整合扩展访问, helping to more overtly democratize TI 和 make it easier for security practitioners to access 和 action on. Actionable insights are now more seamlessly integrated into security devices 和 TI platforms.
• Automated remediation民主化进程并不仅仅意味着人类从业者有了更多的机会, it also denotes actual devices receiving actionable data 并自动关闭即将到来的攻击. 任何有价值的TI计划或解决方案都应该使这一过程成为一个标志.

Actionable 威胁 intelligence has made leaps 和 bounds in recent years in terms of transitioning from a manual methodology to automating much of 的 process so that security organizations can actually use it – instead of just sitting on mountains of unanalyzed data 和 waiting for an attack.

Who Benefits From Threat Intelligence? 

Simply stated, everyone benefits from TI. It can make life easier for a SOC, can save money for 的 overall business, 增强客户对公司及其产品的信心。. 因为这一页是专门针对安全专家的, 的 primary beneficiaries of TI are analysts 和 personnel within 的 security organization, as it directly eases 威胁 detection 和 响应. What are those benefits?

• Time savings: Time spent manually searching for potential 威胁s has become a serious challenge for SOCs lacking a competent TI framework. Leveraging automation, 一个有条理的TI解决方案可以完成大部分工作, delivering time back to that SOC.
• Reduced impacts of attacks: attack surfaces expanding 的 world over, security organizations are overloaded in 的ir efforts to defend 的mselves 和 customers from 的 sheer volume of 威胁s. When a TI solution can lower 的 威胁-to-noise ratio, overall security posture has room to improve.
• Prioritization降低威胁噪声比意味着优先级可以成为优先级. 利用人工智能和机器学习(ML)等日益相关的技术, soc可以显示有效且准备立即采取行动的警报.
• 响应 efficiency: prioritization comes more time to focus on o的r security business initiatives – if leveraged correctly. Being able to ignore 的 noise, respond to valid alerts, 更快地消除威胁意味着节省大量时间. To this point, stakeholders must stay in contact with practitioners to identify o的r security areas that need attention. 

Threat Intelligence Lifecycle 

将TI转化为可操作的信息并非易事. 需要一个框架来获取原始数据并将其转化为真正的智能. 但是，什么样的框架能够跟上不断变化的威胁形势? 让我们定义一个可适应现在和未来的TI生命周期.

Set a direction

使用pir可以帮助指导确定方向的方法. The process typically begins with outlining a specific PIR 和 的n defining a desired outcome.

Prioritize data to collect

哪些情报将最好地服务于您的团队所定义的方向? Depending on 的 use case, 情报可以来自网络上的多个来源，也可以来自端点, third-party vendors, 的 黑暗的网络、应用程序安全流程和平台等等. 从所有相关来源收集数据，以获得最恰当的见解. 

Set an analysis approach

在这个级别上，利用尽可能多的自动化分析是提高安全性的关键. There is a manual approach to analysis that a SOC could take - 和 it can't be overstated that human review could yield even more insights - however, this comes with 的 cost of time. If 威胁s are automatically classified, it's more likely 的y can be automatically remediated.

Disseminate analysis

The ultimate goal of this lifecycle should be to come away with useful intelligence that - after thoroughly analyzed according to your framework - can be disseminated to security devices to automatically prevent an impending attack or 威胁. 

因此，构建一个从正确来源获取情报的解决方案至关重要, 自动生成带有上下文信息的警报, 并通过自动修复 威胁. 

What are 的 Types of Threat Intelligence? 

网络安全威胁情报直接影响业务. Will a potential 威胁 be taken down quickly or will 的 intelligence be wasted due to 的 lack of a properly defined lifecycle? 

Forrester defines business intelligence as methodologies 和 processes that "transform raw data into meaningful 和 useful information used to enable more effective 战略, 战术, operational 有助于提高整体企业绩效的见解和决策." As it happens, those three areas of insight are 的 same for TI; let's dive deeper into each. 

Strategic TI 

战略情报侧重于长期威胁及其影响. Strategic TI also aids in evaluating attackers – focusing on 的ir tactics 和 motivations ra的r than geographical location – to determine potential organizational impacts of those 威胁s. 高层决策者通常会被告知这种类型的情报, 因此，保持报告尽可能清晰是很重要的.

Operational TI 

Operational intelligence focuses on short-term 威胁s that may require immediate mitigation, 从而快速重新确定其他举措的优先顺序. 操作性信息透明还有助于评估谁是真正的目标，以及如何成为目标. 这有助于利益相关者确定任何即时的威胁响应行动.

Tactical TI 

战术情报主要关注攻击者的确切行为. 他们是否使用特定的方法或工具来获得访问权限或执行横向移动? Tactical 威胁 intelligence tools are used by personnel engaged in active monitoring 和 reporting, 还需要发现不太明显的危险信号.

最好记住，对安全最好的就是对业务最好的.

Threat intelligence Use Cases 

Use cases are varied 和 large in number. Security intelligence tools are useful in being proactive about any type of 威胁 to 的 security 和 integrity of a business’ operations 和 cyber strength.

• Credential leakage: TI can aid in identifying usernames 和 passwords that may have been exposed - or could be vulnerable to - exploitation by unauthorized personnel. 
• Threat mapping: TI can aid in building a dynamic asset mapping framework to track an evolving digital footprint. 它可以识别潜在的攻击媒介，并了解暴露可能发生的位置. Automatically correlating 威胁-actor intelligence to an organization’s unique digital footprint is central to 威胁 mapping.
• Br和 和 fraud protection信息技术可以帮助减轻名誉损失(了解 Digital Risk Protection), monitoring for domain spoofing 和 IP-address spoofing by cybercriminals that could be using your br和. TI还可以监控在暗网上出售的有价值的数据, 帮助防御网络钓鱼诈骗，同时保护IT系统和声誉.
• Attack surface monitoring: TI can aid in identifying external-facing assets associated with known IP ranges or domain names (Learn about Project Sonar). 扫描应该能够确保完全发现, interacting with exposed endpoint services, 收集额外的元数据，如SSL证书, HTML links in HTTP 响应s, service banners, 和更多的.

Read More About Threat Intelligence

了解有关Rapid7威胁情报产品的更多信息

有效威胁情报计划的4个简单步骤

网络威胁情报(CTI)的演变

威胁情报新闻:最新的Rapid7博客文章