Internal And External Threat Intelligence
How To Balance the Two Sources
In cybersecurity, threat intelligence covers a broad range of activities concerning collection, analysis, and dissemination of information on the current threat landscape. In terms of sourcing, the two primary types of threat intelligence are internal and external, and finding the right balance between these two can be key to not only robust but also efficient cybersecurity strategy.
Understanding Internal and External Threat Intelligence
Internal threat intelligence is the data collected from within an organization’s own networks and systems. This can include data on attempted or successful cyber attacks, system vulnerabilities, and anomalous network activity. Specifically, such data can be pulled from organization’s logs and traffic data for network-connected devices, security systems like SIEMs, IDS, and antivirus software.
External threat intelligence refers to the data collected from outside sources about past and current threats. This can include information about threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and more. This type of intelligence is provided by different products, including feeds, as well as specialized platforms and portals that accumulate large databases and allow users to search them.
Advantages of Internal Threat Intelligence
Detailed and Specific Understanding
Internal threat intelligence, being sourced from the organization’s infrastructure, provides a detailed and specific understanding of an organization’s unique threat landscape.
Real-Time and Relevant Data
Internal threat intelligence offers real-time and highly relevant data. It allows organizations to quickly identify and respond to threats that are directly impacting their systems and networks.
Historical Records
Historical records in internal threat intelligence, encompassing past alerts and network activity, offer valuable insights into potential incidents. These records also aid analysts in quickly deciding if an alert is a false positive, enhancing threat response speed and accuracy.
Advantages of External Threat Intelligence
Broader Understanding of Current Threats
Internal security systems can only identify threats that are already known. External threat intelligence offers fresh information from various sources. In the event of a possible security incident, such intelligence can provide valuable context and insights.
For instance, it can help you determine if the incident is part of a larger campaign targeting multiple organizations, or if it’s an isolated incident. It can also supply information about the threat actor’s typical behavior and tactics, which can guide your incident response strategy.
Proactive Threat Anticipation
External threat intelligence enables organizations to anticipate potential threats and vulnerabilities. By understanding the TTPs of threat actors and the latest trends in cyber attacks, security teams can proactively strengthen their defenses and be better prepared to respond to incidents.
Bringing Internal and External Threat Intellige nce Together
Use Internal Data for Baseline Security
Internal threat intelligence should be the foundation of your organization’s security strategy. This means that the data from your own networks and systems must always be analyzed and processed to continuously improve your security measures.
Leverage External Data for Threat Anticipation
External threat intelligence can be used to anticipate and prepare for threats that have not yet directly impacted your organization. Regularly review external intelligence for information about new and emerging threats and use this information to update your security measures and train your employees.
Combine Both for Incident Response
In the event of a security incident, both internal and external threat intelligence can be valuable. Internal data can help you understand the nature and scope of the incident, while external data can provide context and insights about the threat actor and their tactics.
Threat Intelligence Portal from ANY.RUN
One example of external threat intelligence is ANY.RUN’s suite of TI products that includes Feeds and Lookup.
The services provide users with access to refined data extracted from ANY.RUN sandbox’s public database of threat samples uploaded by its global community of over 400,000 cybersecurity experts. The result is an extensive repository of up-to-date information related to the latest attacks around the world.
Threat Intelligence Feeds supply a continuously updated stream of fresh indicators of compromise directly into SIEM and TIP systems in STIX format. The feeds can be integrated and used completely free of charge in the form of a demo sample.
Threat Intelligence Lookup provides users with a platform for threat investigations with a built-in search engine. Analysts can use it to search ANY.RUN’s extensive database of threat data and enrich their indicators and understanding of threats they encounter.
By submitting artifacts, such as file hashes, domains, IP addresses, TTPs, ports, registry keys, etc. (a total of over 30 ones), users can identify their context in the form of corresponding IOCs, as well as ANY.RUN sandbox sessions, where these artifacts were detected.
The service also supports combined searches, making it possible to submit a query featuring several artifacts at the same time for more refined results.
Consider the example below, where we submit a search query for a certain IP.
The service identifies it as “malicious” and as belonging to Agent Tesla. It provides a wealth of context, including ports, ASN, country of origin, files, and a list of interactive sandbox sessions that we can explore in-depth to see how this particular threat operates. Organizations can request a free trial of the service.
Conclusion
Balancing internal and external threat intelligence is crucial for a robust and efficient cybersecurity strategy. Internal threat intelligence offers detailed, specific, and real-time insights into an organization’s unique threat landscape. In contrast, external threat intelligence provides a broader understanding of current threats and enables proactive threat anticipation. By leveraging both sources, organizations can enhance their security posture and effectively respond to incidents.
About the Author
Vlad Ananin is a technical writer at ANY.RUN. With 5 years of experience in covering cybersecurity and technology, he has a passion for making complex concepts accessible to a wider audience and enjoys exploring the latest trends and developments. Vlad can be reached online at the company website https://any.run/