A Guide to Threat Intelligence Sources
August 28, 2020 by
Access to timely cyberthreat intelligence is a critical defense strategy in our dynamic threat landscape. There are myriad sources delivering a staggering amount of information. But the goal of a threat intelligence program is NOT to manage a ton of data. It’s to create a program that is both manageable and effective for your organization. That means you need to limit your sources of threat intelligence. So, which do you choose?
When selecting your sources, ask yourself two questions:
- Will this information provide me with actionable intelligence relevant to my organization’s sector, region, and/or infrastructure?
- Will this information provide me with valuable information to build our long-term knowledge base and strategy?
If you can’t answer yes to either one of these questions, you might want to remove it from your source list.
There are four main categories of threat intelligence sources that you can choose from: critical vendors, government agencies, public sources, and private sources. Here are some of our favorites within each category.
Your infrastructure is built from products and technologies supplied by your critical vendors. If you’re paying for a service or have purchased a product, chances are you’re going to be included in their private intelligence feeds at no additional cost. Because this information is specific to your infrastructure, it can be a great resource. Some of these vendors also provide public-facing threads. Here are a few we like:
- Krebsonsecurity.com - This is a great source for leadership and other managers just getting introduced to cybersecurity. It’s an investigative journalist blog that is easy to read and covers some of the best stories of the day.
- DarkReading.com - This is a great community forum from Information Week. It’s a source of instant and actionable threat intelligence, as well as information for building your knowledge base.
- SANS Internet Storm Center - There is a wealth of information here including a library that can help you build your knowledge base. A daily podcast is also available that provides up-to-date alerts and intelligence.
- Curated Twitter feed: Twitter can be an excellent source for real-time threat intelligence. Build a list of security professionals to follow and check in on it once or twice a day. Not sure who to follow? Reach out to security professionals you know and see who they follow. Or check out RSA’s list of Top 25 #infosec leaders to follow on Twitter
As the importance of threat intelligence has increased, many vendors and service providers are now offering this type of service. For example, Tyler Cybersecurity clients receive a daily threat briefing that provides a snapshot of the most important security news of the day.
Information-sharing and analysis centers (ISACs) are also a great source for threat intelligence. They are sector-based, member-driven organizations that “collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.” You can find them all at https://www.nationalisacs.org/. If you’re just getting started with threat intelligence you may want to consider subscribing to a relevant ISAC feed. It will give you a big head start as opposed to starting from scratch. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is best suited for the public sector.
Bottom line … you want to find the sources that best fit your organization and focus your energy on those. Many smaller organizations will not have the resources to devote a full-time resource to this function, instead it will be an added responsibility to an existing employee or two, who most likely already have a full plate. You don’t want to cause undue burden because (A) the person will quickly grow upset and (B) you won’t benefit from the intended value of the program. This has to be a valuable function. It can’t just be a check box. It needs to be something that provides value to your organization. Start small and build from there.