Threat intelligence is most effective when it can be incorporated into your proactive defenses, in other words, when it can tell you what defenses to shore up to prevent the attacks. So what are the critical pieces of information that will enable you to do this?
- Threats – This is the threat intelligence itself, e.g. information on the actors, campaigns, TTPs and exploit targets that are used.
- Vulnerabilities – The vulnerabilities, weaknesses, misconfigurations that are exploited in the attacks described by the threat intel.
- Assets – The IT assets, e.g. servers, laptops, workstations, devices, applications, etc. and the business missions they support.
Looking at any one of these datasets by itself is obviously not going to be too helpful. If you look at the intersection of Threats and Vulnerabilities, you’ll see the potential threats and vulnerabilities that they exploit but you won’t really understand how relevant they are to your organization because you don’t know if you have assets that may be exploitable. If you look at the intersection of Vulnerabilities and Assets, like most organizations you’ll probably see a long list of assets that have a bunch of vulnerabilities that need to be remediated, but you’ll have a hard time prioritizing which ones to remediate first without information on the active threats that are looking to exploit them. The intersection of Threats and Assets tells you which assets are impacted by the threats but at this point it could be too late as you may only be able to get this information after the assets have already been compromised.
Thus the Sweet Spot lies at the intersection of these three datasets — the active threats that are out there, what vulnerabilities they exploit, and which of your assets are exposed to those vulnerabilities. This will enable you to take early action to prevent attacks by focusing on and remediating the most mission critical assets with the vulnerabilities that are most targeted for exploit based on the threats that you are most susceptible to.