Questions to ask before you get your first Threat Intel data source

Anton Chuvakin (one of the leading Gartner experts in the Threat Detection space) had a recent blog post on some of the key questions one must ask while identifying the first threat Intel data source. 

Here is the list

  • What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
  • Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
  • How do I pick the best one(s) for me?
  • Where do I put it, into what tool?
  • How do I actually make sure it will be useful in that tool?
  • What has to happen with the intelligence data in that tool, what correlation and analysis?
  • What specifically do I match TI against, which logs, traffic, alerts?
  • What you have to do with the results of such matching? Who will see them? How fast?
  • How to I assure that the results of matching are legitimate and useful?
  • What do I do with false or non-actionable matches?
  • How do I use intel to validate alerts producted by other tools?
  • Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?

The post is worth a read, as he has linked his earlier posts on this topic in this blog post. Do note that the white papers he has has linked requires GTP access. 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s