Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Threat Intelligence

Improve Incident Response with SOPs for Cyber Threat Intelligence

When it comes to improving cyber incident response, security teams can learn a valuable lesson from the military about the importance of standard operating procedures.

When it comes to improving cyber incident response, security teams can learn a valuable lesson from the military about the importance of standard operating procedures. “SOPs” document prescribed methods for carrying out an activity or responding to a difficult situation.

The U.S. Army has SOPs for seemingly everything, and for good reason. Many SOPs help soldiers react to difficult situations with a clear head. Often these SOPs are designed to save lives, like the one that dictates where soldiers should place their first aid kits among their gear. 

SOPs for cybersecurity—and more specifically, those developed for cyber threat intelligence programs—can improve incident response. By establishing specific processes for conducting threat intelligence research, security teams can more quickly determine whether a compromise has occurred, and if so, its scope and impact. 

How to Establish SOPs for Threat Intelligence

Threat intelligence typically consists of compromise indicators, which often take the form of IP addresses, domain names, URLs, file names and malware hashes. Answering the following questions about each indicator can help establish SOPs:

IP Addresses: Are some network devices more critical than others? Which ones? Do I have the visibility I need to quickly determine if those devices are routing traffic to or from suspicious IPs? Is there a documented process for conducting this kind of research? Do I understand my security technologies well enough to carry out this research under pressure?

Domain Names: Do I have the ability to quickly look up domain traffic? Can I quickly “whois” those domains for registration info? Is there a documented process for conducting this research? Do I understand my security technologies well enough to do this under pressure?

URLs: Can I quickly look up suspicious URLs and the end users who visited them? Is there a documented process for doing this kind of research? Do I understand my security technologies well enough to do this under pressure?

Advertisement. Scroll to continue reading.

File Names & Malware Hashes: Do I have the endpoint visibility I need to quickly determine if a particular file name or malware hash is present on any of my endpoints? 

These questions indicate the need for SOPs that help identify the presence of compromise indicators in an organization’s IT environment. They also emphasize the importance of proactively inventorying network devices and endpoints, so that security teams know exactly how many and which of those assets they need to investigate and remediate. 

Organizations at all levels of cybersecurity maturity can benefit from these and other SOPs; a state-of-the-art threat intelligence program isn’t a prerequisite for creating them. In the heat of the moment, SOPs can prevent panic and help to facilitate an efficient, effective incident response inside any organization with the foresight and willingness to create them. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.