Leveraging Threat Intelligence in Incident Response/ManagementBy Mike Rothman
We continue to investigate the practical uses of threat intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, now we turn our attention to Incident Response and Management. In this paper, we go into depth on how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources to help narrow down the scope of your investigation.
We’ve also put together a snappy process map depicting how IR/M looks when you factor in external data as well.
To really respond faster you need to streamline investigations and make the most of your resources. That starts with an understanding of what information would interest attackers. From there you can identify potential adversaries and gather threat intelligence to anticipate their targets and tactics. With that information you can protect yourself, monitor for indicators of compromise, and streamline your response when an attack is (inevitably) successful.
You will have incidents. If you can respond to them faster and more effectively, that’s a good thing right? We believe integrating Threat Intel into the IR process is a way to do that.
We’d like to thank Cisco, Bit9+Carbon Black, and Intel Security/McAfee for licensing the content in this paper. We’re grateful that our clients see the value of supporting objective research to educate the industry. Without the forward looking organizations, you’d be on your own… or paying up to get behind the paywall of big research.