We’ve expanded our partnership with Mandiant, now part of Google Cloud, to help our users operationalize and prioritize threat intelligence. READ THE PRESS RELEASE >

Threat Profiles: Figuring Out Which Threats Matter

What are Threat Profiles?

In a typical security operations center (SOC), the threat detection and response teams have one key objective: identify and stop the bad guys. To do so, they invest in the best tools, recruit the best team members, and work tirelessly to stay ahead of any potential security incidents that might be on the horizon.

There’s a major obstacle hampering many security teams: despite having cutting-edge technology and highly skilled personnel, they find themselves overwhelmed by an avalanche of information about potential threat actors, malware, tools, and vulnerabilities. This flood of data leaves them with an acute problem; the inability to effectively prioritize threats.
Without clear prioritization, every potential threat is perceived as equally urgent, preventing teams from focusing on the most critical risks. Often, an attempt to defend against every possible threat leaves most teams vulnerable to the ones that are actually most likely to impact them.
While the promise of Threat Intelligence has always been to help teams become more strategic, understand which threats are targeting them, and figure out how to defend against them, the reality is that most organizations struggle to use Threat Intelligence to deliver on this promise.

Mediocre Threat intelligence platforms (TIPs) that focus exclusively on IOCs are a dime a dozen. While IOCs have their place in security, they aren’t helping teams generate strategic insights. Advanced TIPs that can describe who the threat actors are, what they want, how they operate, and provide more advanced indicators like TTPs, are less common, but come with an equally “advanced” price tag. Even more rare are solutions that make all of this information both actionable at a strategic level and accessible to organizations of all shapes, sizes, and maturity levels. As a result, only the largest and most well-funded organizations that are capable of building large and highly skilled threat intelligence teams that can take advantage of all of this information end up extracting the full value of these solutions and build effective Threat Profiles.

Threat Profiles can come in any number for formats, shapes, and sizes. Fundamentally, they are a description of all or most of the threats that have attacked or are most likely to attack your organization, based on motivations, regionality, technology, industry, etc. Organizations can use Threat Profiles to drive more strategic decisions across the security organization. Within Threat Detection specifically, Threat Hunters and Detection Engineers can leverage Threat Profiles to help them identify key focus areas for hunting exercises or detection development.

Attributes & Benefits of an Effective Threat Profile

Regardless of the shape, size, or format, a truly effective threat profile always makes it easy to share up-to-date, clear, and actionable information about the most relevant, recent, and prevalent threats to a specific organization.

Effective Threat Profiles Enable Dissemination → Information about threats, when not shared effectively with threat detection and response teams, is minimally valuable. Having all of the information about all possible threats at the fingertips of hunters, detection engineers, and incident responders is ultimately useless when teams don’t know which threats to drill deeper into. An effective threat profile simplifies and contextualizes threat intelligence and acts as a starting point for more strategic threat hunting, detection development, investigation, and response.

Effective Threat Profiles Are Dynamic → From one week to the next, or even one day to the next, the threat landscape can change and evolve in unpredictable ways. Without a highly skilled and dedicated team of Threat Intelligence Analysts, new threats and even old threats that are exhibiting new activity will fly under the radar. Effective threat profiles go beyond a static view and provide an updated and constant view into where organizations need to focus efforts without requiring expensive dedicated resources.

Effective Threat Profiles Are Actionable → Knowing what the threats are is nice, but being able to actually do something about those threats is what ultimately matters. Effective Threat profiles give teams the right information they need to pivot from threat to detection and hunt capability quickly and easily.

Challenges to Building an Effective Threat Profile

If threat profiles are so beneficial, why isn’t everyone using them? The thing is, when a team is struggling to keep up with the threats in front of them, it’s really challenging for them to prioritize something like a threat profile. Even though the long-term ROI is undeniable, most teams simply do not have the resources (whether that means team bandwidth or a capable tool) to create a threat profile.

Too Much Data

Most security teams are overwhelmed by data that their tools aren’t designed to help them sift through. They might subscribe to IOC feeds and threat intelligence resources that bring them every piece of key adversarial information they’d ever need to know…but in this case, quantity certainly outweighs quality.

Having every last drop of intelligence about every threat actor is meaningless if they don’t know a) which threat actors are most likely to target them or b) what they’re supposed to do to defend against them. Drowning in data with no directionality or visibility into which parts of it matter, organizations are left unable to prioritize and focus on the threats that they need to worry about.

Not Enough Skill

Threat profiling requires extensive knowledge of the threat landscape at large as well as the organization that’s up against them. In a widening talent gap, most security teams don’t have the resources or skill set needed to continuously assess the organization’s highest priority threats. It requires a large, dedicated cyber threat intelligence (CTI) team whose primary role is threat profiling.
Even if they do have a dedicated CTI team, human error is an ever-present risk. Alternatively, the team could rely on an automated tool that dynamically updates as their coverage evolves and changes.

Not Enough Collaboration

Most security teams operate less like a web and more like a group of silos. In a siloed structure, key teams like CTI, threat hunting, and detection engineering all work from disparate information, starting from scratch on each project, and aiming towards individual goals.

In reality, a well-oiled threat detection and response should be follow a unified security strategy, aiming for the same overarching objectives with each team playing a key role. These teams need collaborative, communicative workflows with distinct handoffs of responsibility.

Not Enough Money

Security budgets are stretched thin as it is. Truly effective Threat Intelligence, provided by a large and highly skilled CTI team, is one of those long-term needs that rarely outweighs more urgent matters, like incident response and zero-days. As other needs take the wheel time and time again, threat profiles fall to the budgetary backseat…even though most of the time, an upfront investment in threat profiling can prevent many of the problems that are higher up on that to-do list.
Additionally, few teams are measured on the outcomes that threat intelligence is supposed to unlock. As such, regardless of how deep or effective a threat research team’s work is, they’re not always incentivized to produce actionable insights for the larger security organization.

Not Enough Time

Without the help of a dedicated Threat Intelligence team, the typical SOC team is usually dealing with one fire drill after the next. They’ve got an endless to-do list, sourced from every possible angle: demands from leadership, emerging threats in the news, and (unfortunately) any incidents they have to clean up.
They’re struggling to keep up with their already busy plates. They just don’t have the time to sort through all of the threats they’re up against. Instead, they’re trying to make sure they’re protected against everything they know about, instead of what they really need to worry about.

How to Build & Utilize A Threat Profile

Creating an effective threat profile is crucial for threat detection teams looking to make the most of existing resources and provide the most effective value to their organization. By following a systematic approach, teams can prioritize threats, map them to relevant techniques, identify detection gaps, and efficiently fill these gaps. Below is a high-level guide on how to build and utilize a threat profile, with a particular focus on leveraging SnapAttack to streamline and enhance each of these steps.

Step 1: Prioritize Threats

To effectively prioritize threats, it is crucial to analyze the greater threat landscape within the context of the organization. This involves sorting threats based on several factors:
  • Industry – “Which threat actors are targeting other organizations in our industry? How have they done it?”
  • Region – “Which threat actors have targeted organizations in our region?”
  • Technology – “Are there certain technologies used by our organization that make us more of a target for certain threats?”
  • Motivations – “Is the actor financially motivated and looking to deploy ransomware? Or are we worried about a targeted attack, theft of IP, etc.?”
  • Recency – “Is this threat new and actively used? When was it last observed?”
  • Relevance – “How likely is this to impact our organization?”
  • Prevalence – “How commonly are those tactics used?”
  • Impact – “If it were to impact us, how bad would the damage be?”
Using this key data, teams can determine which threats, malware, tools, and actors are most likely to target and impact the organization. However, this process is likely to require significant amounts of time, energy, and resources that most organizations don’t have.
With SnapAttack, an organization’s Threat Profile is automatically generated and continuously updated based off of an organization’s unique attributes using best-in-breed threat intelligence. This eliminates the need for significant additional spend to produce strategic and actionable insights for threat detection teams.

Step 2: Map Prioritized Threats to Techniques

Once threats are prioritized, the next step is to understand how MITRE ATT&CK Techniques relate to the most pertinent Threat Actors, Malware, and Tools. Because Techniques are behavioral, detections built for Techniques tend to perform better at identifying a broader range of threats over a longer period of time. In other words, a focus on Techniques enables threat hunters and detection engineers to develop high-value and long-lasting detections, unlike with IoCs.

However, with over 200 Techniques and 500 Sub-Techniques, manually prioritizing which Techniques and Sub-Techniques are most relevant to all of the Threat Actors, Malware, and Tools that are part of the Threat Profile is simply untenable at scale. This process can be achieved easily with a handful of Threats, but becomes much harder with a truly comprehensive threat profile.

SnapAttack simplifies this process by automatically pivoting from your organization’s prioritized Threat Actors, Malware, and Tools into a single list of prioritized MITRE ATT&CK Techniques and Sub-Techniques.

Step 3: Identify Detection Gaps

Not all relevant, recent, or common threats pose an immediate risk. The key is to understand how these priorities intersect with your current detection capabilities. Traditionally, this is a slow and cumbersome process that involves manually mapping detection rules to ATT&CK Techniques, testing individual techniques, or relying on basic mappings from vendors. Teams then often need to consolidate this information into a report, typically a spreadsheet, leading to incomplete and hard-to-maintain data.
SnapAttack automates this workflow by automatically discovering and centralizing your organization’s ATT&CK Technique detection coverage. It cross-references this coverage with your prioritized techniques, allowing you to quickly see which techniques pose both major threats and risks to your organization.

Step 4: Fill Detection Gaps

Both Detection Engineers and Threat Hunters can use Threat Profiles to determine which threats are most critical for their hunting exercises or building detection rules. In threat hunting, prioritizing threats allows for informed decisions about which threats to pursue in exercises.
For both Detection Engineering and Threat Hunting, prioritizing threats guides the development and implementation of detection rules or the execution of hunting exercises for the most urgent and relevant threats.
This process begins with deep-dive research into the nature of each threat, which can be time-consuming, particularly for those without extensive backgrounds in areas such as red teaming, malware reverse engineering, and threat intelligence.
After understanding the threat, engineers must create search queries or detection rules, which involves additional expertise in the specific platforms used for investigation. Organizations with multiple SIEMs, EDRs, or Data Lakes face increased complexity in building effective searches and rules, as each platform requires a different search and detection rule language or syntax.
SnapAttack mitigates these challenges by providing pre-written, high-quality, and tested hunting queries and detection rules for specific Threat Actors, Malware, Tools, and Techniques which are compatible with multiple SIEMs, EDRs, and Data Lakes. This allows Detection Engineers and Threat Hunters to skip the laborious research and development process, thereby enhancing efficiency and effectiveness in filling detection gaps.

Automate Your Threat Profile with SnapAttack

SnapAttack significantly enhances the efficiency and effectiveness of building and utilizing a threat profile for any organization.

By leveraging best-in-breed threat intelligence, SnapAttack autonomously generates and updates a comprehensive Threat Profile tailored to an organization’s unique attributes. This automated system translates the profile into prioritized MITRE ATT&CK Techniques and Sub-Techniques, thereby streamlining the identification and mitigation of detection gaps.

Moreover, SnapAttack centralizes ATT&CK Technique detection coverage, enabling teams to quickly identify and focus on high-priority techniques with low coverage. By offering pre-written, high-quality hunting queries and detection rules, SnapAttack enables Detection Engineers and Threat Hunters to bypass lengthy research and development processes. This results in more effective threat hunting and detection rule implementation across multiple platforms, ultimately fortifying an organization’s defense against evolving cyber threats.

Book a demo with SnapAttack to see how much time you could save on threat hunting and detection engineering.

About SnapAttack: SnapAttack is an innovator in proactive, threat-informed security solutions. The SnapAttack platform helps organizations answer their most pressing question: “Are we protected against the threats that matter?”

By rolling threat intelligence, adversary emulation, detection engineering, threat hunting, and purple teaming into a single, easy-to-use product with a no-code interface, SnapAttack enables companies to get more from their tools and more from their teams so they can finally stay ahead of the threat.