Groups like SANS, MITRE, Gartner, Frost & Sullivan, Forrester and IDC all discuss the central role that threat intelligence plays in a modern SOC. Understanding who is attacking you and how they are going about it, is a critical capability. But the focus is often on external sources, supported by the idea that the most valuable threat intelligence comes from outside your organization.
These sources compile their information by analysing attacks against other organizations around the world. The fact is, the further these targets are from your organization, your industry, your country or your area, the less likely the intelligence is going to be relevant. Organizations routinely report that the best intelligence comes from organizations like themselves with whom they have some kind of intelligence sharing relationship.
Surprisingly, many businesses ignore internally gathered intelligence, or at the very least, do not leverage it fully. Yet, from the perspective of relevance and context, internal intelligence is about the best you can get because it represents the adversaries, malware, attacks and vulnerabilities your organization is experiencing day-to-day. It is probably already being collected in the form of artefacts from incident response, threat hunting, spear phishing analysis, alert triage, sandboxing, and the like. ...read more!
