2.9 KiB
#iso27002/2022/EN
5.7 Threat intelligence
Control
Information relating to information security threats should be collected and analysed to produce threat intelligence.
Purpose
To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.
Guidance
Information about existing or emerging threats is collected and analysed in order to:
a) facilitate informed actions to prevent the threats from causing harm to the organization; b) reduce the impact of such threats.
Threat intelligence can be divided into three layers, which should all be considered:
a) strategic threat intelligence: exchange of high-level information about the changing threat landscape (e.g. types of attackers or types of attacks); b) tactical threat intelligence: information about attacker methodologies, tools and technologies involved; c) operational threat intelligence: details about specific attacks, including technical indicators.
Threat intelligence should be:
a) relevant (i.e. related to the protection of the organization); b) insightful (i.e. providing the organization with an accurate and detailed understanding of the threat landscape); c) contextual, to provide situational awareness (i.e. adding context to the information based on the time of events, where they occur, previous experiences and prevalence in similar organizations); d) actionable (i.e. the organization can act on information quickly and effectively).
Threat intelligence activities should include:
a) establishing objectives for threat intelligence production; b) identifying, vetting and selecting internal and external information sources that are necessary and appropriate to provide information required for the production of threat intelligence; c) collecting information from selected sources, which can be internal and external; d) processing information collected to prepare it for analysis (e.g. by translating, formatting or corroborating information); e) analysing information to understand how it relates and is meaningful to the organization; f) communicating and sharing it to relevant individuals in a format that can be understood.
Threat intelligence should be analysed and later used:
a) by implementing processes to include information gathered from threat intelligence sources into the organization’s information security risk management processes; b) as additional input to technical preventive and detective controls like firewalls, intrusion detection system, or anti malware solutions; c) as input to the information security test processes and techniques.
The organization should share threat intelligence with other organizations on a mutual basis in order to improve overall threat intelligence.