In order to respond effectively to the rapid growth of emerging and increasingly sophisticated threats, it is important that organisations have an effective strategy around threat intelligence management. The framework proposed by McAfee (part of Intel Security) follows a layered approach.
Global level intelligence sits firmly at the top. This threat intelligence is often not real time and by definition cannot be relied upon when protecting against Zero Day threats. However, global intelligence is very valuable around identifying the vast majority of commodity signature based threats. Global intelligence feeds such as GTI (Global Threat Intelligence), a service provided by McAfee; or similar services shouldn’t be relied upon in isolation. This is due to the wide range of indicators of compromise that may or may not be locally relevant. This lack of local relevance may also lead to false positives.
Some organisations may choose to subscribe to more industry focused community and third party intelligence feeds. For instance, financial services organisations may choose to subscribe to the likes of FS-ISAC and in the case of federal and public sector, GovCert may be playing a part. Other organisations may choose open source providers such as Hail A Taxii or other similar alternatives. While industry vertical-focused or third party providers are valuable and may provide more targeted threat intelligence, the indicators of compromise may still not be as relevant to specific organisations.
According to Verizon’s 2016 Data Breach Investigations Report 70-80% of threat samples that an organisation receives, are unique to that institution. This number has progressively increased in the last few years. This increase, validates the view that sophisticated and more advanced threats are targeted and arhcitected around the specific vulnerability profile of individual organisations. This changing threat landscape, highlights the importance of relevant, real-time and local intelligence gathered from local context aware sensors.
Therefore local threat information, complemented by community and global information sources as part of an actionable intelligence funnel framework is a vital component of any layered defence strategy.