The key to threat intelligence is the automation component. “If you’re not automating the ability to consume threat intelligence, then you’re not really doing threat intelligence.” A number of organizations claim to be implementing these practices, but fail to make use of automation techniques, opting instead to make use of less efficient and less scalable manual processes.
Threat intelligence comes down to consuming IPs. One key improvement to this aspect was the need to obtain more known bad IPs and signatures. Some members of the discussion noted the use of “canaries,” which are essentially very unique user accounts and passwords designed to be easy to pick out in large sets of data to determine if a compromise has occurred.
From a DDoS perspective, some threat intelligence groups have taken to “trolling” known forums for info on planned attacks against companies. One member of the group discussed how his team was able to learn about a scheduled DDoS attack several days in advance. They configured their edge and their service provider configured as well in order to successfully ride out the attack.