Skip to main content

Threat intelligence is undergoing its renaissance. Here's what to expect in 2021

(Image credit: Shutterstock / Khakimullin Aleksandr)

A little more than two decades ago, a group of 17 software engineers met in Oregon to discuss a common frustration. Too often, software was being developed at such a slow rate that by the time it was finished, it was already obsolete. The environment that underscored the business case for the software had changed.

Their thinking led to the development of the agile development frameworks we have come to know today, including continuous integration/continuous development (CI/CD).

Automation was always an engine of change. Its sole purpose is to minimize human intervention and make our lives easier. From the first boiler thermostat to the most advanced aerospace manufacturing floor, automation is constantly changing the way we do things.

Today, the threat intelligence community is facing similar dynamics. The interconnected nature of today’s networks means that security systems are generating mountains and mountains of data, with an ever-growing shortage of expertise to interpret it. And with a rapidly-changing threat environment, organizations need to know how to anticipate and prepare for tomorrow’s attack, not yesterday’s 

It takes too long for many teams to make major decisions, and even longer for an organization to implement them. The security environment changes before security leaders can ingest the data they have, and the action they do take is based on conditions from yesterday, or a week ago.

Cybersecurity needs an agile framework. Threat intelligence can help lead the way by improving the way data is consumed through automation, context, and building better partnerships.

Where context is king

In the world of intelligence, context is king. Without it, information is just information. There’s a huge difference between “there’s a piece of pizza on the table” and ”the last piece of pizza is on the table.” Unfortunately, too much of the data that security teams rely upon today can’t make these sorts of granular distinctions. That hurts companies’ ability to take advantage of the intelligence at their fingertips.

The need for context remains. Context tells the story about the data by looking at information that sits adjacent to it. In this case, we’re talking about cross-referencing IP addresses and connecting dots between actors. With a large enough data lake, it’s possible to make intelligent decisions about common patterns of dark web discourse and the threat it poses to targets.

Consider two hypothetical dark web posts: “I want access to ABC Mega Corp.,” and “Selling Fullz from ABC Mega Corp. breach.” If you are on the security team at ABC Mega Corp., both statements are alarming, but they require radically different responses.

In the first instance, an investigator is really going to want to figure out the identity of the poster. They can do this by looking for identical usernames on other forums, and, to a lesser extent, geographical clues, language, and other factors.

The second statement requires a different response, possibly based on the volume of posts in the forum or the interest in the post by other dark web users. An internal investigation may be required, to hunt for potential breaches, insider threats, and more. At the same time, the identity and credibility of the poster need to be ascertained.

Now, in the discussion of ABC Mega Corp., investigators might focus entirely on what a few posts mean to their organization. But metadata provides even more context. We don’t need to simply examine the content of references to ABC Mega Corp.  A sudden surge of references to the company on one forum can mean that something’s happening on another. A drop in the price of a dark web commodity, such as stolen credit cards, may indicate that the market is saturated. A spike in sold credentials could indicate that there has been a major breach.

Scaling walled gardens

This type of data consumption flexibility has traditionally been quite rare. For years, security practitioners have relied on threat intelligence that required them to toggle between screens and manually input information.

Different industries have different priorities, and there’s a wide range of roles within each domain. The threat intelligence industry needs to understand the needs of all these groups. Whether we are dealing with security analysts in the finance sector, incident investigators in healthcare, or something else, practitioners require tools that meet their needs - but also works in conjunction with the platforms that they use. Data, in other words, needs to be consumed in the format the user chooses.


An interdependent ecosystem

Data flexibility, automation, and contextualization are inter-linked concepts that can accelerate threat intelligence and incident response. A weakness in one of these areas affects all the others.

In the threat intelligence world, the upcoming years after will see increasing movement toward projects and services that recognize this. Human judgement matters. But investigators and analysts from every industry need a continuous loop of intelligence intake upon which they can base their decisions, and continuously-improving automation in situations where human judgements aren't required.

But just as the creation of agile programming teams have improved products and allowed software companies to meet the needs of their customers rapidly, agile threat intelligence has the potential to have a similar impact.

Rapid, timely response can only be achieved by automating the response to contextual data, and that data must be consumable in a way that meets the needs of the end-user - no matter what tools or platforms they use. This system can form the basis of a continuous response and investigation process that is not just thorough, but exhaustive and flexible. Security teams deserve nothing less.

Dov Lerner, Security Research Lead, Cybersixgill (opens in new tab)

Dov Lerner is the security research lead at Cybersixgill, focusing on malware sold on the dark web. He served for five years in the military as an intelligence officer, and subsequently worked as a malware analyst. He holds the CISSP and CISM certifications and an MA in Security Studies from Tel Aviv University.