Cyber criminals have become increasingly bold, organised, and equipped with more sophisticated tools in recent years. New attack techniques and malware are developed and refined so quickly that organisations often have little choice but to take a reactive, defensive stance.
One of the most effective ways of taking the initiative back from the attackers is for organisations to arm themselves with high-level threat intelligence that will help them to identify potential malicious activity in advance. Gathering information from a mixture of open sources and hidden channels such as the dark web, threat intelligence reports can help companies to prepare against incoming attacks and take action to block them or mitigate their impact.
However, hearing the phrase “high-level threat intelligence”, the immediate reaction for many people would be to think of elite security analysts employed only by secretive government organisations and the world’s largest mega corporations. For many years, accessing intelligence was seen as both too expensive and too complicated for ordinary businesses.
While it is true that threat intelligence was once available only to those that could afford to hire the highest level of advanced analysts in the industry, it has become rapidly more accessible in recent years. Advancing technology has enabled the market to expand rapidly, and any organisation can now access high quality intelligence without breaking the bank on paying for the security elite.
Armed with access to threat intelligence that is clear, relevant and available in real time, organisations will be better informed and equipped for all of their security activity. Everything from the ability to deal with daily threats through to high-level strategic decisions made by executive leadership.
One destination for threat intelligence will be the Security Operations Centre (SOC). Whether run in-house or via a third-party supplier, the SOC is the nerve centre of an organisation’s security activity. Security alerts from tools such as SIEM, IDS and EDR all feed through to the SOC, enabling the security team to identify and respond to potential threats. Threat intelligence will provide powerful visibility of the wider world to provide context alongside these various sources of internal security information.
One of the most common challenges for SOC teams is dealing with the vast volume of threat data heading their way. Alongside the sheer number of reports, teams also need to deal with the fact that security alerts will contain a mixture of false positives and false negatives that they will need to disentangle. With so much going on, it can be easy to overlook data that could point towards a serious threat.
With this in mind, if a SOC is already struggling with its own internal data streams, simply piling on even more information from external sources will make it even more difficult to keep up. Security alerts need to be filtered so that only relevant data is passed through to the SOC analysts, presented with context and enriched with additional information that can help the team to understand and act on their data streams more easily.
Combating emerging threats
Most security experts accept that it is impossible to guarantee complete protection from cyber-attacks, especially because threat actors can exploit previous unknown zero-day vulnerabilities. This means that incident response is one of the most important aspects of any security strategy, with a well-planned response strategy often making the difference between a minor incident and an expensive disaster.
That said, even the most thorough incident response playbook will be rendered ineffective if the security team is not accessing essential data that will help them understand the situation. Many teams are stymied by the use of disjointed technologies that provide fragmented data streams, as well as the ongoing industry shortage of skilled and experienced professionals. The more time that must be spent trying to untangle disorganised threads of data, the more time the attack can progress unimpeded and the more damage it will cause.
If the response team has access to a threat intelligence tool that is able to break sources down into relevant and usable items, the team will be able to get to grips with the situation much faster. This will help them to utilise their resources far more efficiently and make swifter decisions in the midst of an active threat when every second counts.
The ability to discover and respond to threats in real time will make a huge difference in a company’s ability to mitigate the damage cybercriminals can inflict. Just as important however is the capability to proactively identify and manage vulnerabilities in advance, before they can be discovered and exploited by attackers.
The complexity of the average IT system and the rate at which new vulnerabilities are discovered means that very few companies have the resources to keep up with everything. Instead, remediation efforts need to be prioritised based on the level of risk involved. Incorporating threat intelligence into the risk assessment process will enable the company to factor in context from the wider security landscape as well as its own internal operations.
Intelligence reports might reveal that certain software has been the focus of a major attack campaign in recent months, for example, which would make updating and patching this software a much greater priority than it might have been otherwise.
Equipping themselves with their own threat intelligence streams will also give organisations a better chance of staying ahead of attackers. While new vulnerabilities that have been discovered by the security community are listed on the National Vulnerability Database (NVD), it takes an average of seven days for new threats to be published. This is ample time for more advanced and organised cyber criminals to exploit the vulnerability before companies are aware of it. By using their own intelligence rather than relying on the NVD and other sources, organisations can proactively take control of their own security.
Empowering leadership with genuine intelligence
While organisations are unquestionably better protected from cyber threats if they are able to take a proactive stance rather than reacting to incoming attacks, there are many challenges standing in the way of a successful proactive strategy. One of the biggest issues is the amount of capital and resources required.
Acquiring the required personnel and technology required will generally involve a heavy financial investment. Companies are often reluctant to devote so much capital to security, with many still seeing it as an IT issue rather than the essential business priority it has become.
Even when organisations do decide to invest in security appropriately, the expansive and fast-moving nature of the cyber landscape means it is often difficult to prioritise effectively. As a result, we often find companies have opted to invest in advanced new security tools because of market hype or the actions of their peers and competitors, rather than through a real understanding of their own priorities.
Access to clear and accurate threat intelligence can help CISOs and other security leaders ensure that their companies are investing in a security strategy that is optimised for their specific needs. Intelligence will also lend extra weight when it comes to presenting the threats to the board and convincing them to authorise the required investment in technology and personnel.
From informing top level strategic business decisions to helping to deal with daily security demands, organisations are now able to incorporate threat intelligence into all essential security activity. However, while it is true that threat intelligence has advanced beyond the limits of the security elite to become accessible to the wider business world, the information must be presented in a succinct, relevant and targeted way if it is to make a difference.
Chris Pace, technology advocate, Recorded Future
Image Credit: Sergey Nivens / Shutterstock