Cyber threat intelligence and other contextual information are integrated into the analysis
Internal telemetry tells you what is happening in your environment; threat intelligence tells you what attackers are doing everywhere else. Integrating threat intelligence into adverse event analysis allows you to recognize known attack infrastructure, correlate internal events against global campaigns, and prioritize response based on what is known about a threat actor's capabilities and objectives. Organizations without threat intelligence operate reactively, relying only on what they have personally observed.
Implementation steps
- 1
Subscribe to and ingest threat intelligence feeds
Identify threat intelligence sources appropriate for your industry and threat model: commercial feeds from providers like Recorded Future or CrowdStrike, open-source feeds like AlienVault OTX, MISP sharing communities, and government/ISAC feeds for your sector. Ingest these feeds into your SIEM or threat intelligence platform and keep them current. Stale threat intelligence is worse than none because it generates false confidence.
recorded-futurecrowdstrike-falcon-intelalienvault-otxmispmandiant - 2
Automatically enrich security events with threat intelligence
Configure your SIEM and SOAR to automatically check indicators from security events against threat intelligence: IP addresses, domain names, file hashes, URLs, and email addresses. When a match is found, enrich the alert with context about what is known: this IP is associated with the Lazarus Group, this domain is a known phishing infrastructure, this hash matches ransomware. This enrichment reduces investigation time significantly.
splunkmicrosoft-sentinelpalo-alto-cortex-xsoarvirustotalrecorded-future - 3
Use threat intelligence for proactive threat hunting
Beyond enriching alerts, use threat intelligence proactively: when new campaigns are published, search your logs for the associated IOCs going back 90 days. Conduct threat hunting exercises focused on TTPs (tactics, techniques, and procedures) from the MITRE ATT&CK framework that are relevant to threats targeting your industry. Document and track hunt findings to close detection gaps.
splunkelasticmicrosoft-sentinelcrowdstrike
Evidence required
Threat intelligence feed subscriptions and integration
Evidence that threat intelligence feeds are subscribed to and integrated into security tooling.
- · Threat intelligence platform configuration showing active feed subscriptions
- · SIEM integration showing IOC enrichment for security events
- · Documentation of threat intelligence sources and their update frequency
Threat hunting records
Evidence that threat intelligence is used for proactive detection activities.
- · Threat hunt reports documenting hypotheses, methodology, and findings
- · Retrospective IOC search results from a new threat intelligence report
- · Detection gap report generated from a threat hunting exercise
Related controls
Information is correlated from multiple sources
Adverse Event Analysis
A baseline of network operations and expected data flows is established and managed
Adverse Event Analysis
Potentially adverse events are analyzed to better understand associated activities
Adverse Event Analysis
The estimated impact and scope of adverse events are understood
Adverse Event Analysis