An Enterprise Guide to Using Threat Intelligence for Cyber Defense
Cybercrime has evolved significantly in recent years. While security teams struggle to ensure businesses remain protected, cyber attacks not only increase in number, but also evolve into more complex and effective weapons in this virtual battlefield.
The fact is, regarding vulnerabilities and cyberattacks, innovation often falls in the hands of cybercriminals well before it is available to security solution providers. This evolving scenario led to the creation of a large industry around cybercrime, to the point it is being provided as a service. From selling malware kits with detailed usage information to renting massive botnets readily available for denial-of-service attacks, and even ransomware franchising, it only requires something as simple as a fraction of a Bitcoin and a connection to the deep web to weaponize the next attack.
Today’s cybercriminals cooperate with each other, sharing information, codes and malicious artifacts with one goal in mind — staying a step ahead of the cybersecurity industry. So, how do we deal with this complex situation that affects many businesses around the world? The answer is rather simple: the good guys should also employ cooperation and intelligence tactics.
As more and more attacks with similar techniques occur, so increases the chance of a group or company having spotted it before. This means knowledge about the attack exists somewhere, it just needs to be shared, normalized and distributed so it can be effectively turned into actionable information for security teams. And that is exactly what threat intelligence is all about.
- What Is Threat Intelligence?
As the Gartner puts it, threat intelligence is using evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding response to that menace or hazard.
In simpler terms, threat intelligence (also commonly referred as cyber threat intelligence) is the process of acquiring, through multiple sources, actionable knowledge about threats to an environment. This allows security teams to detect incidents faster, or even completely preventing them from happening.
- What Is the Importance of Threat Intelligence?
Considering that most security teams have limited resources, trying to ensure protection against every single exploit and threat vector is a bad strategy, since this may simply not be feasible. The best approach is a smart allocation of existing resources and strengthening the security posture against the attacks that are most likely to occur. The problem is, without actual information, defining what is “most likely to occur” becomes guesswork.
New threats emerge almost every day, and they have evolved to the point where an attack may remain completely unnoticed. For example, a network breach being used to steal corporate data may look just like a normal operation, even with the necessary security tools in place.
Understanding how cybercriminals create and weaponize their campaigns is of immense value. Threat intelligence can be used to detect attacks or abnormalities at their initial stages, enabling a quick response from security teams, thus minimizing the impact of breaches. This is one of the main reasons threat intelligence is changing from a luxury to a basic necessity of good security strategies.
- How Is Threat Intelligence Sourced?
Threat intelligence sources can be either internal or external, based on commercial (proprietary products) or open source solutions.
- Internal sourcing: Using internal sources for threat intelligence means identifying potential sources of threat information and defining how it will be collected and processed into something actionable.
The most usual data sources are network devices (i.e., routers, firewalls, Wi-Fi, remote login services, DHCP logs and monitoring tools such as an intrusion detection and prevention system and protocol analyzers) and endpoint software (i.e., operational system logs, antivirus products and web browsers). Information can also be collected from other sources such as email systems and even tickets from the helpdesk.
It is quite obvious that deploying sensors and ensuring accurate collection from multiple internal data sources can be a challenge. Using a security information and event management (SIEM) product can be of immense value, as it makes it possible to automate many tasks and create dashboards or reports synthesized from a variety of data sources.
- External sourcing: There are many external sources of threat intelligence readily available to be used by any organization, including security products and network appliance vendors, security communities and associations, managed security services providers (MSSPs) and security consultancies.
They can provide lots of actionable information such as identifying compromised web sites, discovering botnet members and spam sources, known phishing senders, phishing attack patterns, mapping IP addresses to physical locations, indicate countries, locations, or networks where an attack is most likely to initiate.
Ideally, organizations should adopt a combined approach for threat intelligence. Individually, both internal and external sources can be of immense value, but only create a complete view of the threat landscape when united. For instance, internal sources are the best option for information that is highly relevant and specific to the organization, while external resources can provide alerts on trends and new threats. By combining both views, security teams can reduce the time from breach to detection and from detection to containment or eradication.
- How Can Threat Intelligence Be Actionable?
Intelligence alone will not solve security issues. In fact, threat intelligence will provide only a part of the solution. The second, and most important, part is having security teams effectively acting based on the information they receive from sources.
For this to happen, threat intelligence must be incorporated as a part of the organization security posture and help drive efforts for incident response and investigation.
- Align threat intelligence with the security strategy: A basic aspect of security efforts is understanding what needs to be protected and implementing the necessary controls. Threat intelligence provides information on what assets are most likely to be targeted by attackers and how they should be protected, so aligning threat intelligence with strategic security plans should be a top priority.
- Make threat intelligence an integral part of incident investigation and response: Another crucial point is using threat intelligence as a part of investigation and response efforts. This can help identify abnormalities, attack patterns/trends and provide information on threat actors that should reduce the time for detecting security breaches. Acting on this information should be an important part of incident response plans and procedures.
Over time, with threat intelligence fully integrated into both operational and strategic levels of security efforts, it can even be used to predict what the next threats will likely be and take a proactive posture, preventing incidents from happening.
Actionable threat intelligence is a key element to efficient and comprehensive security. By using threat intelligence, organizations can reduce incident response time, quickly taking informed and decisive actions necessary for dealing or even preventing attacks.
- Threat Intelligence: What It Is, and How to Use It Effectively, Matt Bromiley, SANS Institute
- Definition: Threat Intelligence, Gartner
- NIST Special Publication 800-150, Guide to Cyber Threat Information Sharing, NIST