Cyber threat intelligence is a foundational piece of any organization’s security program, providing defenders with awareness of activities occurring in the threat landscape. Accounting for all threats an organization may face is a daunting and nearly impossible task. Some organizations may take the step to stay informed by following industry leaders or a news service. While this approach to threat intelligence gathering is better than nothing, it’s inefficient and often causes organizations to lag or miss critical intelligence leaving them in the dark about the latest threats. This occurs because the “noise” a security analyst must go through to find information relevant to their organization or the minor technologies that compose an organization’s tech stack is overwhelming. This article discusses how organizations like Netskope can use Feedly for Threat Intelligence, backed with their Feedly AI, to help security teams cut through the noise and keep track of critical technologies in the organization’s tech stack and supply chain.
Organizational challenges of cyber threat intelligence (CTI)
When initially performing CTI, teams can encounter several challenges when defining goals and setting workflows. The cyber threat intelligence lifecycle can help teams get an initial workflow started, but defining clear and concise goals can be more difficult. The first question CTI teams should ask is, “What intelligence brings value to the organization and its security team?” Answering this question helps set attainable goals and clarifies what intelligence should be gathered. In practice, this looks different for each organization based on its environment and technology stack. Intelligence programs should also consider how their intelligence enhances security operations. CTI can flow directly into how an organization performs alerting and threat hunting, but isolating operational intelligence within the vastness of intelligence poses a challenge. Such questions raised here are “What threats to monitor” and “How to collect indicators of compromise.” An easy way to start is to monitor the threat landscape of the organization’s industry. While industry monitoring may not get as granular as monitoring specific threat actors, it provides a good starting place to see which adversaries an organization may face. From there, security teams can home in on changes in TTPs and collect new IoCs to strengthen the organization’s security stack and provide threat hunters with a better understanding of the adversaries they hunt.
What is Feedly for Threat Intelligence, and how does it help in the CTI process?
Feedly for Threat Intelligence helps security teams collect and share actionable open source intelligence faster. It includes AI models that scour the open web and continuously gather, enrich and synthesize threat insights, all while reducing noise so teams can analyze threats more efficiently. For instance, you can monitor specific threat actors active in your industry, track the exploits of new vulnerabilities, or dive deeper into specific malware. Feedly’s AI models make it easy to get targeted feeds related to your environment. For example, most organizations utilize Windows OS on their endpoints. With Feedly, a team could look at “Microsoft Windows” AND “Critical Vulnerabilities.” This feed will display trending information related to the Windows OS and vulnerabilities with a CVSS above 8 or vulnerabilities with a CVSS above 5 that also have an exploit. It enables vulnerability management teams to prioritize the remediation of vulnerabilities based on what is actively observed in the threat landscape.
Utilizing Feedly for Threat Intelligence to track vulnerabilities in an organization’s tech stack also provides the benefit of uncovering research where vulnerabilities are chained together to cause compromise of greater severity than any one vulnerability. Getting insights on the latest methodologies of chaining these vulnerabilities allows security teams to fully gauge the risk of vulnerable assets.
One of the advantages of Feedly AI is helping to identify zero-day vulnerabilities before they are widely reported so you can start your assessment. Zero-days are flaws in the software