Expert Interview: Leveraging Threat Intelligence for Better Incident Response
Incident response (IR) is an important component of any cybersecurity program. When responding to incidents, your goal is to respond as quickly as possible in the most organized way to minimize negative impact and prevent chaos.
In theory, threat intelligence is useful for IR applications, but in practice, the majority of companies encounter challenges when implementing threat intelligence in the IR process. Most of these cshallenges are the result of a lack of knowledge and strategy.
To dispel some of the mist surrounding the subject of threat intelligence, we asked Security Researcher Dimitar Kostadinov to isnterview Mr. Jonathan Couch, Senior Vice President of Strategy at ThreatQuotient. Mr. Couch is a leading expert with more than 20 years of experience in the IR field.
1. What Are the Most Important Aspects of Threat Intelligence?
Couch: It really depends on your organizational maturity (capacity/resources) and functional maturity (processes/capability) as to what is the most important. Overall, however, threat intelligence can focus your organization so you’re looking for and blocking the “right” stuff vs. trying to fight every battle out there. It also supports remediation and incident response investigations by understanding threats and how the adversary is operating. The goal is to leverage threat intelligence and use limited resources more effectively and efficiently. Threat Intelligence doesn’t solve all your problems: it isn’t a silver bullet. It can help you to identify and respond to key threats to your organization, and it can help you to communicate better with your executives.
Kostadinov: According to the
SANS State of Cyber Threat Intelligence Survey, 73% of respondents felt they could make better and more informed decisions by using threat intelligence, and 71% reported improved visibility into threats directly attributed to the application of threat intelligence.
Other reported benefits include: faster response times and more accurate results (58%), detection of deeply buried threats (53%), and fewer data breaches (48%).
In another study by
Ponemon Institute, 78% of respondents confirmed threat intelligence is an indispensable component of a strong security posture. At the same time, 70% of respondents described this security approach as “too voluminous and/or complex to provide actionable intelligence.”
2. What Did Incident Response Look Like Before & After Implementing Threat Intelligence?
Couch: Before threat intelligence, incident response teams were working in their own “bubbles” where each investigation involved scoping and remediation based primarily on the knowledge and experience of team members. IR teams had to look for signs of anomalies on the network and reverse engineer the code they found to figure out how the malware operates and where the adversary campaign may have penetrated the enterprise. Very little was shared and there weren’t many external resources (apart from relationships within the security community) that IR teams could leverage when trying to scope and remediate.
After implementation of threat intelligence, IR teams have a resource to quickly identify who/what might be attacking them, how it operates, what campaigns it might be a part of, and where else to look (and what to look for) on the network. Threat intelligence can provide forensic leads, while the investigation can help with identification, scoping and remediation.
Kostadinov: Traditionally, cyber threat intelligence (CTI) was used for cybersecurity at a tactical level, but more and more companies are plugging CTI into incident response as a mechanism that works at both a strategic and operational level.
Operational threat intelligence would narrow down the top threats, which will in turn allow analysts to adopt the most appropriate techniques, tactics and procedures (TTPs) to counteract them. These TTPs are described in detail in incident responder workflows so defenders can act upon them easily if the identified threats become reality.
The SANS State of Cyber Threat Intelligence Survey study states that nearly half of all respondents use threat intelligence to provide more context and depth in cyber forensic investigations. It seems this is another area in which threat intelligence could contribute considerably.
3. What Else Should Our Readers Should Know About Threat Intelligence?
Couch: Many IR teams are now taking on the hunt mission: proactively searching for signs of threats on the network that may have made it past network defenses. Threat intelligence fuels this process of what is known about relevant threats so IR teams can quickly perform searches of their network for indicators of compromise. Prior to the advent of threat intelligence, IR teams couldn’t effectively search the network for signs of breaches because they only knew what they had seen in the past: they weren’t being informed of the latest and greatest of attacks going on in the world.
Kostadinov: About 28% of the participants in the
SANS State of Cyber Threat Intelligence Survey appear to use threat intelligence for hunting, and its application in this area is growing in popularity given its value.
When the security team detects an anomaly, it usually classifies it as an “event of interest.” Once the threat becomes an incident, operational threat intelligence could provide more clarity about the nature of the threat (e.g., how it propagates) and probable wrongdoers (e,g., their capabilities and motives). Armed with this information, incident responders have better chances to reduce the possibility of cyber-induced damage.
Better understanding your own IT environment, the cyber attacks that happen around it, and extrapolating insights from the data surrounding these attacks is where threat intelligence excels. Simply put, threat intelligence helps companies understand why they are under attack, as well as the capabilities of criminals involved. As one author wrote: “The role of threat intelligence is to reduce operational, strategic and tactical surprise.” Moreover, it can be utilized in virtually every aspect of a security program and critical decision-making process. Threat intelligence is simply a critical component of any security posture.
- Brown, R. (2016). The State of Cyber Threat Intelligence. Available at
- Ismail, N. (2017). A threat intelligence program: the challenges and advantages. Available at
- Meyer, A. (2016). Using Cyber Threat Intelligence to Support Incident Response. Available at
- NTT Security (2016). Threat Intelligence and Incident Response: What Not to Do #WarStoryWednesday. Available at
- Ponemon Institute (2016). The Value of Threat Intelligence: A Study of North American & United Kingdom Companies. Available at
- RFSID (2017). Beyond Feeds: A Deep Dive Into Threat Intelligence Sources. Available at
- SANS Institute (2016). The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing. Available at