Questions to ask before you get your first Threat Intel data source

Anton Chuvakin (one of the leading Gartner experts in the Threat Detection space) had a recent blog post on some of the key questions one must ask while identifying the first threat Intel data source. 

Here is the list

  • What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
  • Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
  • How do I pick the best one(s) for me?
  • Where do I put it, into what tool?
  • How do I actually make sure it will be useful in that tool?
  • What has to happen with the intelligence data in that tool, what correlation and analysis?
  • What specifically do I match TI against, which logs, traffic, alerts?
  • What you have to do with the results of such matching? Who will see them? How fast?
  • How to I assure that the results of matching are legitimate and useful?
  • What do I do with false or non-actionable matches?
  • How do I use intel to validate alerts producted by other tools?
  • Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?

The post is worth a read, as he has linked his earlier posts on this topic in this blog post. Do note that the white papers he has has linked requires GTP access. 


A great list of curated Threat Intel resources

A great list of curated Threat Intel resources

I recently found this Github Repo, put together by Herman Slatman, which consists of a list of very useful and curated Threat Intelligence resources.

The list is broken down into following five categories:

  • Sources
  • Formats
  • Frameworks
  • Tools
  • Research, Standards & Books

This is a great resource for anybody starting to dwell into the Threat Intelligence discovery, consumption and classification, as it is an ocean out there, and a lot of these “Indicators” can be noise.


Picture Courtesy: