, 11 tweets, 2 min read Read on Twitter
Threat Intelligence. A Thread.

Threat intelligence seems, at least to me, to get maligned too much. For many years I’ve found it an immensely useful element of an enterprise security and risk program. So, some perspectives on this.

1/11
Security is a game to win, not a state you’re in. You have adversaries and you have to therefore understand their motivations and their tactics, techniques and procedures (TTPs) in the context of their goals versus your assets and objectives.

2/11
To understand that you, surely, need some information about that. Let’s call that threat intelligence. At the risk of oversimplifying, there are essentially 2 types of threat intelligence:

3/11
1. Macro threat intelligence. Information on attacker goals, capabilities & evolving TTPs. Use this to adjust defenses to make life more difficult for the adversary & shape their economics (attackers have bosses & budgets too). Aim to eliminate whole classes of attacks.

4/11
2. Micro threat intelligence. Information about specific attacks, signatures, indicators of compromise and other selectors/data. Aim to eliminate or detect/respond to specific attacks.

5/11
Information about threats, itself, is necessary but not sufficient. In both cases you need to be capable of doing something with it. For macro you need to feed it into your risk decision making process as fast as possible & increase the speed of adjusting defenses.

6/11
For micro threat intelligence you need to feed this into your defensive operations as fast as possible - in as fully an automated way as you can. Work to improve the ingest speed and coverage of this into your preventive controls and your detective sensor grid.

7/11
Responding to macro has superior results, but is harder and so sometimes you can only handle and respond to micro. As with any intelligence process you will generate new/synthesized intelligence - feeding that into an appropriate information sharing organization is useful.

8/11
Where threat intelligence gets maligned is I think due to a lack of an organization’s capability to process it (perhaps fueled by over marketing of what it can do - by vendors or pundits). If you buy something or consume some capability you have to be equipped to use it.

9/11
There’s no point buying some feed if you can't do anything with it. Like supply & demand - different sources of intel. (shared/private/government) drives different demand pull. Handling capabilities (people, automation, frameworks) drive different supply needs.

10/11
Bottom line : threat intelligence is critical but you have to use it well and that means having the organizational capability to do that. Grow capability (tooling and people) in balance with what you need to consume - think supply/demand.

Move fast.

11/11
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Phil Venables
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!