How to Employ the Threat Intelligence Lifecycle in Your SOC: Scaling Your PIRs
Learning from a Real-Life SOC
In part one of this series, we highlighted notable threats from 2023 that compromised some of the most well-known software organizations, impacting millions of customers across the world. One of the key lessons learned from these breaches is that modern organizations must implement and maintain a proactive, intelligence-driven approach to internal security processes.
Like these organizations, ZeroFox is no different: as an SMB-sized SaaS cybersecurity organization, we have an obligation to protect our customers. To do that, we built an intelligence-driven approach to our internal security so that we can protect against advanced threats that can compromise our customers – and our customers’ customers.
And because our team comprises real-world security and intelligence practitioners, we’re sharing our knowledge, insights, and lessons learned, so that any organization – no matter the size or security maturity – can do the same. Although every organization is different, and there isn’t a one-size-fits-all approach, these guidelines provide a jumping off point for security teams to then tailor to the unique needs of their specific organizations.
The Next Step in the Threat Intelligence Lifecycle: Scaling Your PIRs
In part two of this series, you’ll learn from the ZeroFox team how to activate and scale your priority intelligence requirements (PIRs) across your organization. (Check out part one to learn how to define PIRs and review steps one through four of building out your intelligence program).
Part 2: How to Activate and Scale Your PIRs
From implementing collection sources to facilitating security team daily briefs, these four steps will take you through the second part of building a proactive threat intelligence strategy.
Step 1: Implement Collection Sources
Activating your PIRs starts by implementing the data collection sources that will supplement the intelligence your security platform, like the ZeroFox Platform, already collects. These include the intelligence requirements for your organization's crown jewels, core processes, technology stack, VIP protection, and more. (Remember, there isn’t a single source of threat intelligence; according to research from Gartner, most organizations leverage 8-15 threat intelligence sources).
Once your team activates a PIR, your security platform can be used as a centralized collection and alerting point for your intelligence gathering.
ZEROFOX SOC TIP
The key is to start small and scale later accordingly. Start with the highest priority intelligence requirements (these will be defined by your unique business needs, such as crown jewels, core processes, etc.). To avoid overwhelming your internal processes with intelligence products you might not be able to process effectively, we recommend progressively activating your intelligence requirements. A progressive activation also helps with the capacity allocation.
Step 2: Map Your Standard Operating Procedures (SOPs)
All the processes described in the TI Program Playbook template provided in part one of our series (e.g., intelligence collection, processing, production, and dissemination) should have an associated SOP. SOPs ensure your security team’s responsibilities and activities are clearly defined, which helps expedite the incident management and response process by enabling your SOC to react more efficiently and effectively. The main steps of creating SOPs are:
- Identify the processes that require an SOP.
- Establish an SOP reviewing process.
- Collect necessary data for your SOPs.
- Write the workflow and publish SOPs.
- Maintain and update SOPs regularly.
ZEROFOX SOC TIP
We recommend reviewing and updating your SOPs on a quarterly basis or sooner if a process gap is identified. This will help improve your team’s response times, especially during incidents.
Step 3: Deliver a Daily TI Bulletin
Implement a TI bulletin, a daily email detailing important threat intelligence news or recent activity your security team can consume to help keep them up-to-date with external threat landscape activity. This can include:
- New published vulnerabilities relevant to the company.
- New and trending threat actor campaigns.
- Observed ransomware activity.
- Cybersecurity trends.
- New IoCs and TTP.
- High relevance TI alerts.
- Cyber threat landscape news.
Some of the trusted sources our team collects information from include:
- CISA Known Exploited Vulnerabilities Catalog
- CISA Cybersecurity Advisories
- NIST National Vulnerability Database
- ENISA Newsletter
- ZeroFox Daily Intelligence Brief
- Technology providers’ security bulletins
- Reputable cybersecurity newsletters (such as SANS, The Hacker News, and DARKReading)
ZEROFOX SOC TIP
We recommend automating the delivery of the daily bulletins using an RSS feed reader. Briefs ideally should be delivered on weekdays, as soon as possible in the morning, so it can be discussed in daily stand-ups (if applicable).
Step 4: Security Team Daily Brief
As a last step to activating and scaling your PIRs across your organization, your team should leverage security team briefs – more granular intelligence reports delivered and discussed on a daily basis with your security team. This daily brief includes intel topics that are relevant to your daily security operations. For the ZeroFox team, our topics can include:
- TechStack Intel
- Domain Protection
- 3rd Party Risk
- TI Bulletin Discussion
- RFI - On Demand Intel
- Threat Actor Activity
If your resources allow, we recommend implementing both the TI bulletin and the TI daily brief. The TI bulletin delivers more general (i.e., operational) intelligence about the cyberthreat landscape, and the TI daily brief delivers more targeted (i.e., tactical) intelligence, tailored specifically to your security team’s requirements.
ZEROFOX SOC TIP
Daily briefs can be structured as a presentation, email, or short documented report tailored for the specific requirements of your security team. The ZeroFox team leverages a one-page slide that requires no more than five minutes to present. We then have an open discussion about the topics and generate additional actions accordingly (such as alerts triggered, additional triaging, RFI requests, etc.).
Taking Your Security Strategy from Reactive to Proactive
Developing and activating priority intelligence requirements is the cornerstone of any effective threat intelligence program – internal or external. PIRs allow threat intelligence teams to focus on the most critical issues, topics, and threats for their specific organization. Though each team will have unique needs that define their PIRs, what’s most important is that the final product reflects the right approach for your specific organization.
Stay tuned for the conclusion of this three-part blog series, where we’ll share how to scale your threat intelligence analyst team and construct metrics to assess the effectiveness of your TI program.
Tags: Threat Intelligence