We continue to investigate the practical use of Threat Intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, we now turn our attention to Incident Response and Management. In this paper we go deep into how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources, to help narrow down the scope of your investigations.
We have also put together a snappy process map depicting how IR/M looks when you factor in external data.
To really respond faster you need to streamline investigations and make the most of your resources. That starts with an understanding of what information would interest attackers. From there you can identify potential adversaries and gather threat intelligence to anticipate their targets and tactics. With that information you can protect yourself, monitor for indicators of compromise, and streamline your response when an attack is (inevitably) successful.
You will have incidents. If you can respond to them faster and more effectively that’s a good thing, right? Integrating Threat Intel into the IR process is one way to do that.
We’d like to thank Cisco and Bit9 + Carbon Black for licensing the content in this paper. We are grateful that our clients see the value of supporting objective research to educate the industry. Without forward-looking organizations you would be on your own… or paying up to get behind the paywall of big research.
Check out the paper’s landing page, or download it directly: Leveraging Threat Intelligence in Incident Response/Management (PDF).