These days, hardly a day goes by without some news about cybersecurity threats. Credit card information gets stolen. Social Security databases get hacked. Customer data breaches occur, exposing private personal information. Ransomware shuts down businesses, hospitals, and government agencies alike. Clearly there’s a battle underway. Businesses and organizations need to understand the threats they face, and how best to fend them off, lest they lose out in one way or another. That’s where threat intelligence comes into play.
What is Threat Intelligence?
According to WhatIs.com, threat intelligence is “organized, analyzed and refined information about current or potential attacks.” Such information is often abbreviated CTI, for cyber threat intelligence. In other words, CTI provides important information about potential threats to your business operations, and your data’s integrity, privacy, and confidentiality. But threat intelligence means more than awareness. It also requires understanding what motivates criminals to exploit vulnerabilities and mount attacks against systems and information.
Threats are escalating at an ever-increasing rate, with 62% of businesses reporting phishing and social engineering attacks in 2018 (Cybint Solutions, 2019). A Clark School study (University of Maryland) finds that a hacker attack occurs in the USA every 39 seconds on average (Security Magazine, 2017). In the same vein, Accenture (2019) reports that two-thirds of business leaders (68%) believe their cybersecurity risks are increasing. All this nefarious activity led to data breaches that exposed 4.1 billion records in the first half of 2019 (Risk-Based Security). No wonder, then, that Gartner forecast in August 2018 that worldwide cybersecurity spending would approach $134B in 2022!
For companies and organizations to properly assess potential threats, they must look at both internal and external sources of information. Each is important, and each can provide valuable insights into potential, emerging and actual threats.
Internal information sources show what’s happening inside your organization, and along its boundaries with external networks and access points. Such sources include the many log files that OSes, security software, applications, and devices generate as they do their jobs. They also include alarms and alerts that such infrastructure elements generate, as well as output from security information and event management (SIEM) systems in use in many organizations. And finally, incident response reports from helpdesk, support, or incident response staff can provide particularly relevant information about attempted or successful exploits, analysis, and remediation efforts used to fix or work around them.
External information sources provide valuable information about what’s going on outside your organization’s boundaries. Not everything out there is relevant to what’s inside your boundaries. But information about common and current threats is easily filtered to limit your purview. Thus, you can concentrate on threats relevant to the specific systems, platforms, OSes, devices, patch levels, and so forth, present in your organization. External information sources include security blogs, publications, and newsletters.
They also include publicly available information about current vulnerabilities and exposures (such as Mitre’s CVE) or the Department of Homeland Security’s National Cyber Awareness System Alerts database. Third-party security companies also maintain their own threat intelligence databases and reports based on independent research, and analysis of events and alerts obtained through their customers (which can number into the tens and hundreds of millions). Subscriptions to one or more of such private, fee-based threat intelligence services are an increasingly important part of due security diligence nowadays.
Steps to Improving Threat Intelligence
Organizations can – and should – take proactive steps to improve their threat intelligence acquisition and response mechanisms. The following items are essential elements that will help organizations to improve their threat intelligence, and help them avoid exploits and compromise:
- Create an intelligence gathering apparatus: this means creating ways to acquire various types of intelligence that include tactical intelligence (details of tactics, techniques, and procedures used in exploits), strategic intelligence (risk assessments and priorities from enterprise executives and stakeholders), technical intelligence (malicious IP addresses and domains, malware signatures and heuristic analyses, and so forth), and operational intelligence (means to identify active, current attacks, with denial, avoidance, and remediation advice).
- Understand the current threat landscape: Keep up with reports that identify current attacks and that document possible vulnerabilities. Use security best practices to prevent “easy attacks” ( don’t use weak or default passwords, raise social engineering awareness, apply all applicable security updates, patches and fixes).
- Knowing how threats originate supports proactive response: Another benefit of keeping up with current exploits and attacks is understanding how and when to respond to them. In many cases, early victims and security researchers will publish patches, fixes, clean-up tools, or remediation techniques that can help limit exposure while an attack is still underway.
- The past remains the best predictor of future attack vectors: The methods that attackers have used in the past are likely to appear again in the future (for example, SQL injection, brute force attacks, and password sniffing on insecure external networks remain as popular as ever). Security professionals who understand past breaches and exploits can use what they know to avoid similar things in the future.
- Threat detection, monitoring, and response: IT should take advantage of advanced security software to watch out for trouble and possible signs of compromise and ongoing attack. The best responses are to keep security software current, require VPNs for local and remote users, and stay on top of log monitoring, SIEM, and threat analysis tools and reports.
- Focus on actionable intelligence and responses: It’s not enough to know what’s going on and where dangers may lie. IT and security pros must also know what to do if and when something wicked their way comes. This means special attention to workarounds and avoidance techniques first and foremost, and knowledge about remediation techniques should they be required.
- Make sure threat information is available to everyone: As with the law, ignorance is no excuse with security threats and vulnerabilities. That said, one of the best defenses against attack is to arm staff, contractors, and partners (anyone allowed to use your systems and networks) against common security errors and malpractice. Thus security awareness training for all hands should be an important part of onboarding new staff members, with regular, periodic refreshers to keep all workers aware that if they don’t take care, something untoward could happen. This goes double for anyone with access to sensitive, proprietary, or valuable data, any or all of which could become a focus for some future attack.