Skip to main content

The Operational Case for an Intelligence-Driven Security Program (Part 2 of 2)

February 19, 2015

From an operations perspective, there are a few key points where enterprise security can benefit from threat intelligence as a platform. In my previous post I discussed prevention and detection, and why they are critical to your security program. In this post I will focus on the final operational aspects of threat intelligence: response and recovery.


It is no secret that many security operations teams struggle with meaningful response. Identifying an infection in-progress is a paralyzing feeling especially when security operations doesn’t have a clear response plan and operational cooperation from the broader IT and business. Furthermore, in low-maturity organizations, response tends to take the form of a vendor-tools-based remediation attempt or the dreaded “reload the system” directive. Anyone taking this approach of simply wiping infected systems quickly understands why this approach in the context of productivity and business service is so wildly unpopular. Beyond the massive loss of productivity, the responder has no guarantee that there are no secondary infection points or whether the wipe-and-reload worked.

It is here that we look to threat intelligence for what is termed purposeful response. What this means is being able to identify the infection vector with enough supporting information and certainty that the responder knows exactly how to respond. When the infection vector is malware that slipped through the prevention capability, a determination can be made to simply remove all the infection components, and monitor for further signs of intrusion. When the offending binary is identified as a component of a broader campaign or attack pattern it may be necessary to mobilize a much larger response and hunt through internal systems that did not exhibit signs of initial infection to find where the attacker may have gotten additional footholds, and spread.

Response must be proportional to the attack. Treating every response unilaterally is not effective and a tremendous waste of resources. It’s the nuclear option, every time, because we simply don’t know any better. Operational incident response benefits tremendously from threat intelligence capabilities, in both operational understanding and timely information shared from peers who are perhaps fighting the same adversary or attacker.


Recovery goes hand-in-hand with response, and threat intelligence supports recovery as much as it does response capabilities. Recovery isn’t just about removing the threat vector from the system and moving on. Intelligent recovery gives us insight into how to advance our defenses – whether that is prevention, detection, or response – to be more secure.

Recovery is effectively closing the loop, from identification of a threat, to its removal, to fully recovering to an operational steady-state. Some of the lessons learned from previous recovery operations include things like the necessary removal of Internet access for certain systems running (necessarily) ancient versions of Java runtime, and blocking “unclassified” web sites in forwarding proxies.

Recovery feeds prevention by helping build better early warning and stopping capabilities, detection by providing more indicators and signatures, and response by identifying shortcomings in processes and tools. Recovery is a critical step that is fed through both internal and external threat intelligence, and transforms internal tribal knowledge into actionable and shareable information.

Wrapping it Up

From an operational perspective, threat intelligence is essential to being better. Many of today’s static security measures were developed over a decade ago and continue to fail us, but they get a breath of new life when threat intelligence data is fed into their frameworks. Much like having an operationally effective threat and vulnerability management (TVM) program was essential to good security a decade ago, properly operationalized threat intelligence is becoming essential to good security today.

Whether your organization is seeking to improve its prevention, detection, response, or recovery capabilities – threat intelligence is essential to being a more effective security operations function.

Related Blogs

January 23, 2015

An Intelligence-Driven Security Program | Optiv

Threat intelligence is a term that causes some people to roll their eyes – mainly because they’ve been relentlessly bombarded with the typical hype an...

See Details

March 15, 2018


Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from ...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

February 13, 2014

Developing Requirements for Your Intelligence Section

The main way an intelligence analyst begins to create a product is to have a requirement identified to collect against. In a previous blog, “Intellige...

See Details

January 13, 2016

Internet of Things Devices as Intelligence Assets Brief

Internet of Things (IoT) devices are entering the workplace at an astonishing rate, posing new risks to the enterprise.

See Details

May 16, 2014

Threat Intelligence - Evaluating Sources | Optiv

One of the highest concerns faced by the intelligence analyst lies in knowing if the assessment they are making hits the mark. As the analyst struggle...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.