How to Employ the Threat Intelligence Lifecycle in Your SOC

The Modern Threat Landscape

In 2023, complex threats continued to proliferate across the cybersecurity industry. Some headliners included:

• The MOVEit file-transfer exploit in May that impacted more than 2,650 organizations, including some of the world’s largest institutions across finance, law, insurance, healthcare, education, and government. 
• The Okta breach in October, in which attackers compromised the credentials of an employee and gained access to a service account, resulting in the theft of all Okta’s customer support data. 

We’ve seen this story time and time again – the threat landscape isn’t slowing its expansiveness or creativity. But if you learn anything from these breaches, let it be this: no matter the size or maturity of an organization, it’s critical to implement an intelligence-driven approach to secure your internal assets so you can protect your external assets (i.e., your customers). 

Securing Your Business Like a Cybersecurity SOC

Most organizations today likely have traditional security controls in place, like firewalls, antivirus software, and threat monitoring software. If and when an attack occurs, they will likely have a plan in place to deal with its consequences – a reactive approach to security. 

If the goal is only to prevent known threats, this approach might suffice, but reactive security can leave us vulnerable to a myriad of other threats like the headliners above (e.g., zero-day vulnerabilities, advanced persistent threats) and many other complex attack vectors that can cause significant damage. We can’t just sit around and wait for an attack to hit us. The only way to remain secure is to anticipate emerging threats and adapt accordingly. 

If you’re wondering why we say “we,” it’s because our team is included. Like any other organization, we at ZeroFox have to stay vigilant against threats. And we don’t just talk the talk - we walk the walk. As a mid-sized cybersecurity SaaS vendor that went public in 2022 and protects numerous Fortune 500 customers, we can’t afford to think reactively. Our top priority is protecting our customers so that they’re better able to protect theirs. To do that, we must think proactively – outside the parameters of traditional security strategies – and ensure we, too, have a clearly-defined, intelligence-driven approach to identify and mitigate advanced threats and protect against breaches that can compromise our customers. 

How to Employ the Threat Intelligence Lifecycle

In this three-part series, we’ll walk you through how the ZeroFox Intelligence team approached each phase of building our own threat intelligence program from start to finish. You’ll find key lessons learned from our team and recommendations for implementing our guidelines for any size company. 

Part 1: The Building Blocks

The first step to building a proactive threat intelligence strategy is to mirror the threat intelligence lifecycle, beginning with planning and direction. 

Step 1: Identify Your Stakeholders 

Depending on your company’s internal structure, this may differ slightly. However, we suggest starting by identifying each line-of-business lead or program head to determine the key leaders who will help identify your organization’s intelligence requirements. 

ZEROFOX SOC TIP

Our team initiated and structured these conversations via one-on-one meetings, ensuring we allocated at least one month of open, information-seeking conversations.

Step 2: Define Your Priority Intelligence Requirements (PIRs) 

Leveraging your stakeholders, shape your internal intelligence requirements by asking specific questions to gain the right information to make informed decisions and guide your collection efforts. For example, we classified our PIRs as threats to our business, data and assets, security, and adversaries targeting organizations like ours. 

Why are PIRs important? Clearly-defined PIRs help focus threat intelligence processes and procedures and play a critical role in identifying and assessing risks. It also ensures the intelligence gathered is relevant to your organization's unique needs. Intelligence gathering can be a resource-intensive process, but defined PIRs enable your organization to allocate its resources more efficiently and ensure your security team is better equipped to foresee potential threats and opportunities.

Many organizations have already begun seeing the value in defining their PIRs, with data from SANS’ 2023 SANS CTI Survey highlighting a roughly 70% increase in respondents who had defined PIRs in 2022 versus 2023.

Source: SANS 2023 CTI Survey

ZEROFOX SOC TIP 

Keep it simple and start small. A good approach is to start with your most direct, easy-to-work-with stakeholder on the internal security team, and identify the rest from there (your IT team, engineering team, marketing team, etc.). PIRs should be updated at least quarterly and adjusted based on your organization’s needs (e.g., if IT manages an internal software review process weekly, it makes sense that your technology stack PIRs are reviewed on the same cadence).

Step 3: Define Your Intelligence Collection Sources

Once your team defines your PIRs, it’s time to identify the collection gaps and the sources that will supplement the intelligence your security platform, like ZeroFox, already collects. 

Why do we leverage third-party threat intelligence sources? Because there is not a single threat intelligence source that provides visibility into every emerging threat. Leveraging multiple threat intelligence sources can supplement your organization’s threat intelligence capabilities (according to research firm Gartner, most organizations leverage 8-15 sources).

ZEROFOX SOC TIP

Always ensure the intelligence sources your organization leverages are reputable and verifiable. We recommend funneling these intelligence products to a ticketing system (we configured the ZeroFox Platform to generate tickets that require processing and analysis before dissemination) because It's practical to have a single point to process alerts. It also simplifies SOPs, as it avoids redundant procedures for the different platforms.

Step 4: Create a Threat Intelligence Playbook 

For the last step of phase one, create a threat intelligence playbook, which defines the high-level strategy needed to implement your program, including your: 

• Objectives 
• Scope of work
• Processes (collection, processing, analysis, dissemination) 

ZEROFOX SOC TIP

Keep in mind that you'll want to meet your organization where it's at. Not all teams or departments may be ready for a full implementation and that’s okay. You can bring them along over time. Check out our threat intelligence program playbook template to help your team get started.

Taking Your Security Strategy from Reactive to Proactive

Complex threats will continue to propagate and attempt to breach organizations of all sizes and maturity. Without a proactive, intelligence-driven approach to your internal security processes, your organization may be vulnerable to advanced threats that can bypass traditional security measures, putting your reputation and customers at risk. 

We recommend implementing a clearly-defined threat intelligence process that mirrors the steps of the threat intelligence lifecycle to ensure your team has timely, actionable information to inform relevant stakeholders and protect your organization from potential threats.

Read part two of our three-part series where we share how to activate your PIRs and scale them across your organization.