Written by Moinuddin Zaki on 15/09/2017
An infosec buzzword of the last couple of years is the term “Cyber Threat Intelligence”. But what does it mean? Is it just a trendy phrase, or could it be something genuinely quite interesting? First and foremost, we need to answer the question – what is threat intelligence?
Knowledge is power
Simply put, threat intelligence is knowledge. It’s having information and knowledge of as many threats as possible, so organisations can more easily identify them and, crucially, make informed decisions about them. These days organisations are under tremendous pressure to manage threats, and where traditional security focuses exclusively on prevention of known threats through policy enforcement, in the last 5-6 years the trend has changed. The threat landscape is constantly evolving and different threat actors, most of them previously unknown, are surfacing regularly. A more modern security posture is required.
Forewarned is forearmed
By the time an organisation understands these threats, the impact they can have, and sorts out controls and policies to deal with such threats... well, it’s usually too late. That’s where the need for Threat Intelligence comes in. It gives organisations a head start – to be prepared for dealing with a variety of threat actors before your organisation can be targeted. In other words, the biggest selling point for threat intelligence is that it has the potential for an organisation to defend against attacks before they are launched. So the next question is... how do we get it? Most threat intelligence data is made available through threat intelligence feeds, information streams provided typically as XML streams, or by exposing certain APIs that can be used to gather these feeds. The challenge most businesses looking for threat intelligence solutions is selecting the right vendor.
Information or intelligence?
Most of the vendors today who claim to be providing threat intelligence are often are just providing a dump of raw data. This is more accurately termed threat information rather than intelligence. Full-blooded threat intelligence is much more than just raw data: it includes rich contextual information, usually created with human analysis. This contextual information includes an understanding of the past, present and future tactics, and the techniques of a wide variety of adversaries. It also provides links between the technical indicators like IP addresses and domains associated with threats, or the hashes of malicious files, adversaries, their motivations and intents, and information about who is being targeted.
Threat intelligence provides invaluable information to enhance the security posture of an organisation. A nice way of thinking of it is that it helps an organisation answer questions. Here are some examples:
- Who are the attackers?
Helps identify who the threat actors are and whether they are cyber criminals, hacktivists, national agencies etc.
- What are they trying to do?
What principles of infosec are they trying to breach? Are they trying to access confidential data, modify it or just want to put the organisation out of business?
- Where are they coming from?
Find out which country or region they’re from.
- How to identify them?
The IP addresses or the malicious files' hashes are technical tell-tales.
- How to mitigate them?
The controls and the procedures the organisation can employ to prevent these threats from causing any damage.
A match made in heaven
So the next question is: how can threat intelligence be used? Afterall, if you can’t act on it, it’s probably not worth consuming that data. Organisations must be able to tackle the threat intelligence integration process effectively. Threat intelligence feeds and the information streams (typically XML feeds) can be easily integrated into a variety of security components. One proven method to detect and respond to threats is integrating with a Security Information & Event Management system (SIEM). Threat intelligence and SIEM are a match made in heaven. SIEM will gather logs and events from a heterogeneous data sources like the network devices, security appliances, hosts, applications etc. This is the data that the threat intelligence will act upon. When analysing logs, the SIEMs can be configured to match the log information against the indicators of compromise which are part of the Threat intelligence. You can automatically respond to such bad traffic with actions like blocking known bad IP addresses, in case of malicious attack attempts. Threat intelligence provides tonnes of valuable data along these lines. The strength lies in using this data effectively and efficiently. Hence, any SIEM should be tuned and configured to use this data efficiently
Use it or lose it
Since the data made available through the intelligence feeds can be huge, how a company makes use of it is vital. A panellist from the Dark Reading Virtual Event on Threat Intelligence made a point about one of the biggest security problems organisations face today: they often sign up for feeds and services without the resources or mechanisms in place to actually use the information they receive. Sergio Caltagirone, Chief Scientist of the Centre for Cyber Intelligence Analysis and Threat Research, identified four qualities that intelligence has to meet to be actionable.
The 4 Qualities of Good Threat Intelligence
The threat intelligence should be relevant to the business or industry the organisation is in. By way of example, if you are a financial company, it’s no use looking at threat intelligence that is meant for the e-commerce Industry.
This quality depends on the vendor who is generating the threat intelligence feeds. There should be as less false positives as possible.
Intelligence should be detailed and complete – able to provide enough information to take corrective measures for effective detection.
It’s no point having threat intelligence after a security breach. It should be made available well before an organisation can be targeted.
The bottom line is that in order to defend successfully against sophisticated attackers and APTs, enterprise information security processes need to be adaptable enough to include new methods which will improve their decision making. Threat intelligence empowers decision-making: it’s not the end goal in itself. As the threats grow ever so complicated and complex, organisations should take every available opportunity to learn more about the techniques being used against them, with the hope that threat intelligence will lead to a more effective security program by incorporating effective decision making.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.