Trying to recover from a cyber-assault or serious data breach can be a stressful and expensive affair.
A far better approach is to make sure that your business is safe from such catastrophes before they occur – or at the very least, capable of staging a swift recovery in the event that disaster does strike.
This is an area in which threat intelligence can play a key role.
What is Threat Intelligence?
There are several interpretations as to what constitutes threat intelligence, or cyber threat intelligence as it’s also known.
The SANS Institute defines it as: “The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators .”
Gartner, Inc. goes further, describing it in these terms: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. “
Depending on the service provider or corporation you ask, you’ll see threat intelligence interpreted from other viewpoints. Some see it as a reactive phenomenon, allowing businesses to become aware of cyber-assaults as they occur. Others view it as simply the catalogue of techniques and technologies used by cyber-criminals to mount their attacks.
Information vs. Intelligence
Analysts in the military and national intelligence fields have long been aware of the distinction between information and intelligence.
Information consists of raw data from numerous sources, which is not evaluated as it comes in. Recorded “facts” may be true, false, or nuanced, – and quite possibly irrelevant. In any event, this unfiltered stream of knowledge cannot be reliably used as the basis for meaningful action.
By contrast, intelligence is gathered from known and proven sources, and evaluated and interpreted by trained analysts, as it arrives. This data is processed and sorted, and assessed for its degree of relevance to the mission at hand. Most importantly, it can be used to inform and support actions on the ground.
Evolutions of Scale
This distinction between information and intelligence becomes especially relevant in these days of evolving cyber-threat technologies, and increasing scales of assault. In its DBIR report of 2015, Verizon estimated that the year saw a loss of $400 million, from some 700 million compromised data records – an assault catalogue that emerged from 79,790 separate security incidents.
Clearly, with threats of this scale, it’s essential for businesses to remain informed about developments with the potential to cause real harm – and this needs to be in the form of actionable intelligence that yields workable strategies for enterprise protection, attack prevention, and remedial action in the case of successful attacks.
Feeds and Services
Life has become a lot more complicated, since the days of the Bugtraq email listings and e-zines like Phrack. With the multiplication and evolution of threat vectors, a multitude of websites and newsfeeds have sprung up, each dedicated to some aspect of corporate threat intelligence.
Data needs to be pulled in from open source reservoirs, rumblings from “the digital underground”, and analysis of existing malware tool-kits. Other sources should include in-house network and transaction logs, information gleaned from collaboration platforms and industry-specific groups, and data gathered from technology and security partners.
For the enterprise, the challenge is to make some sense of it all – to filter out the noise, and drill down to what’s relevant, and actionable. This may be done in-house, but it’s a time-consuming and intensive exercise, requiring specialist skills. What’s more, the investment needed to bring together a threat intelligence team locally could be prohibitive.
One alternative is to subscribe to a threat intelligence service, which is run by a third-party security vendor. Each provider will have a specific focus – largely dictated by the range of own-brand security products that it has to offer. To get a comprehensive security picture, it’s a good idea to subscribe to several different services and / or feeds.
Information Sharing and Analysis
There are also a number of information sharing and analysis centres (ISACs): usually online forums where data on cyber-threats relating to a specific industry or market sector may be traded and shared, for incorporation into local threat analysis and enhanced security tools. As with the feeds and services, there are several pricing levels and areas of focus for ISACs, so some degree of market research and mixing may be required.
Integrating with Security Controls
Having amassed a wealth of useful intelligence from various sources, the next step for the enterprise is to work this data into its existing security management protocols. Cyber threat intelligence feeds usually come in XML format, and may be integrated directly into a range of security applications, network monitoring tools, corporate firewalls, and DNS servers.
Security Information & Event Management (SIEM)
A security information & event management system or SIEM may be deployed to track events in your network and business environment, and to flag anomalies and suspicious activity. They’re software platforms that allow integration with feeds, received threat intelligence, and event-based logging to allow enterprises to respond immediately to unauthorised access attempts and other forms of cyber-assault.
Pre-emptive Actions
Responding quickly to assaults is fine, but the strength of threat intelligence lies in its ability to empower businesses to act before threats present themselves, or actual attacks occur.
Again, the process of collecting and managing threat intelligence data from numerous sources is an intensive process that may be better left in the hands of a reputable third party. A good service provider should perform data cleansing and validation procedures on all incoming streams, and export data to the enterprise that can be plugged into its security and monitoring tools directly, and used for attack prevention or detection.
Choosing a Service
There are numerous online resources to choose from. As a start, you can look at a portal such as The Cyber Threat website. You might also consult the recommendation documents issued by national and regional government bodies, such as the European Union Agency for Network and Information Security.