Anton Chuvakin (one of the leading Gartner experts in the Threat Detection space) had a recent blog post on some of the key questions one must ask while identifying the first threat Intel data source.
Here is the list
- What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
- Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
- How do I pick the best one(s) for me?
- Where do I put it, into what tool?
- How do I actually make sure it will be useful in that tool?
- What has to happen with the intelligence data in that tool, what correlation and analysis?
- What specifically do I match TI against, which logs, traffic, alerts?
- What you have to do with the results of such matching? Who will see them? How fast?
- How to I assure that the results of matching are legitimate and useful?
- What do I do with false or non-actionable matches?
- How do I use intel to validate alerts producted by other tools?
- Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?
The post is worth a read, as he has linked his earlier posts on this topic in this blog post. Do note that the white papers he has has linked requires GTP access.