Prioritising threat intelligence

Steven Rogers advises steps that will allow security teams to prioritise threats based on relevant threat intelligence.

Steven Rogers, CEO, Centripetal Networks
Steven Rogers, CEO, Centripetal Networks

Intelligence is available on just about anything, or even anyone, that is trying to gain access to your network, and what may already be in your network – lying in wait for the opportune moment to strike.

Firewall and virus protection alarms go off 24-7 and with the excess noise, security professionals have difficulty sorting through the real threats and false alarms. There is always a chance you could mistake a real and tangible threat for a false positive; however, you do not want to shut down access to the systems unnecessarily. For those tasked with the job of sorting through the alarms, there are several steps that can immediately reduce the amount of alerts, allowing security teams to prioritise threats based on relevant threat intelligence.

These steps are:

1.     Begin with country blocking. The OFAC (Office of Foreign Assets Control) list is the best place to start. You can add to the list from ITAR (The International Traffic in Arms Regulations) and add any other countries unfriendly to your country's Law Enforcement. If you do not have locations, employees or customers located in those specific regions of the world, you can block them with little to no business risk. However, notify employees which countries are blocked –you will need to make a limited decision if someone decides to work from one of those locations.

2.     Block high-fidelity URL based IOCs (indicators of compromise). A malicious URL string (eg, is high-fidelity, it points to a specific resource that is known to be malicious. When users access these URLs, either through spear-phishing or browsing compromised sites, security tools produce intelligence matches that could simply be avoided by blocking access in the first place. Blocking these indicator types provides an immediate increase in security value.

3.     Block specific malicious domain-based IOCs (indicators of compromise). Domains are reused and resurface periodically, therefore, keep the blocked list active. Ensure you block domains that look similar to the company domain – a simple spelling mistake, for example, inverting a number or two, can take your network down an unseemly path.

4.     End-user education is a key line of defence. Employee education needs to be ongoing. Employees need to know how to spot a malicious email, be able to decipher when not to open an attachment, and understand that erring on the side of caution is good. We have now entered a phase where malicious actors are piecing together digital profiles for targeted attacks, many of which are successful. Employees need to be equipped with the proper education to combat these new attacks.

5.     “If you see something say something.” There is a crucial decision employees have to make when they realise they might have downloaded a malicious document. Even if they are incorrect and the email is not suspicious, there needs to be a way to quickly alert the security team. Removing an employee's embarrassment factor will expedite the ability to remove or stop the threat.

By implementing country blocking, high-fidelity URL-based IOCs blocking, and malicious domain blocking, as well as educating the end-user and encouraging the idea that if you see something, say something you can reduce the amount of alerts that analysts have to sift through. This reduction gives analysts the ability to prioritise the real threats, which can save your organisation from infiltration.

Contributed by Steven Rogers, CEO, Centripetal Networks