Speakers
Synopsis
Threat Intelligence can be a valuable source of enrichment to enrich detections and use cases for SOC monitoring purposes. Not only do they provide external perspectives of threats happening in the wild, but they can also provide proactive early warnings to aid in pre-emptive responses before a threat evolves into a real incident within organizations. That is provided that the threat intelligence are properly optimised to fit with the detection planning process of the security operations.
From the bustling marketplace of vendor created premium threat intelligence to community-driven initiatives of open-source intelligence (OSINT), the array of available threat intelligence sources is vast and diverse.However, navigating this abundance presents a formidable challenge. It is impossible to integrate every threat intel feed into the SOC as this is not only commercially costly, but will also potentially generate volumes of false positives that can result in analyst fatigue.
The core traits of good threat intelligence are Completeness, Accuracy, Relevance and Timeliness. Although these are simple to understand terminologies, trying to achieve them can be quite challenging. These core traits could be achieved through proper planning, selection and integration of various external premium threat intel sources and OSINT through some sort of threat intelligence workflow, but for a higher level of achievement, some sort of internal threat source (e.g. threat-hunting outputs) should absolutely be considered.
