Decoding threat intelligence

One mistake in understanding the nature of the threats to your enterprise can have dire consequences, says Accuvant's Jason Clark

There is a scene in HBO's adaption of Game of Thrones where a character counsels the king to dismiss the rising power of one of his rivals because "curiosities on the far side of the world" are no threat. A season later, that rival has three dragons and an army under her control.

Oops.

[Information overload: Finding signals in the noise]

In my travels and meeting with 400 CISOs a year, I find there is much confusion around threat intelligence. Many that need it do not have the foundational elements and maturity to consume the information to make it actionable. It’s critical to know what intelligence is, what kind you need, and how to build the organization to consume it.

Understanding the nature of the threats to your enterprise may not involve swords and dragons, but one mistake can have dire consequences. It is for this reason the words "threat intelligence" have become associated with a growing number of security products and services.

The overuse of this term by vendors has caused its share of confusion in the marketplace. What is certain, however, is that identifying threat intelligence that is relevant to your business and applying it correctly can help you strengthen the security of your IT network.

So, let's start at the beginning and try to define some basics.

For starters, threat intelligence can be divided into three buckets: informational, reactive and predictive.

Informational threat intelligence includes data such as software vulnerabilities and threat indicators black lists of IP addresses associated with criminal activity. It also includes information regarding the 'who' and the 'how' of threat groups – what vulnerabilities they are targeting and who they are.

Reactive threat intelligence includes targeted intel such as what adversaries are after and reports that your passwords or intellectual property has made its way online.

The final bucket of threat intelligence is reserved for information that can be used to forecast malicious activity such as online posts discussing upcoming attacks and what types of intellectual property may be targeted.

The data filling these buckets can come from a variety of sources. For example, industry groups such as the National Health Information Sharing and Analysis Center (NH-ISAC) can be good sources of information about cybersecurity issues affecting in the healthcare field. Information about attacks or groups targeting specific types of organizations also can be purchased from commercial vendors or gleaned from publicly accessible data feeds. 

[Retailers team up to form new security alliance]  

Some of the most critical information, however, comes from within your enterprise.

Without knowing what constitutes normal user activity, spotting anomalous behavior becomes impossible. Local sources for threat intelligence can come from data gleaned during the investigation into an incident. Useful information can be found in your organization's data monitoring tools in the aftermath of a breach that could be used to better understand how attackers targeting your company operate. Likewise, any malware caught on the network that can be analyzed to prevent future attacks as well. 

Tying internal and external threat intelligence together eliminates the noise when it comes time to analyze information and determine risk levels and your strategy for dealing with them. At its best, threat intelligence allows organizations to get an understanding of their own security posture and build a profile of attackers and their activity.

That last part –threat activity – involves having a clear view of the various stages of an attack, known as the kill chain. An example of a kill chain would be reconnaissance followed by the delivery of an exploit, pivoting around a network and extracting information.

Disrupting any one of these phases can be the difference between a breach and a typical workday. In the event of an attack, the ability to correlate attack data about the kill chain with information from intelligence feeds can help enhance understanding of the business impacts of the breach and provide a framework for improving defenses.

As one can imagine, getting the data and operationalizing it are two different animals. Just recently for example, cyber attackers were observed targeting a series of Internet Explorer and Adobe Flash Player vulnerabilities in attacks on the aerospace industry. With that type of intelligence, companies can assess how best to handle the situation and, if they are lucky, thwart the threat before it hits their network.

Are there computers in your environment running IE? Are there exploits being delivered via malicious sites that can be filtered? Is there any mitigation that can be put in place while Microsoft works on a permanent solution? What kind of data are the hackers after? Is it critical? Where is that data on my network?

[Can threat modeling keep security a step ahead of the risks?] 

Answering these types of questions moves your business along a security journey that begins in the hell of ad hoc approaches and ends at the nirvana of a business-aligned security program. It is not a simple path, and many CISOs get stuck along the way by developing security approaches based on meeting regulatory compliance demands without the benefit of threat intelligence coming into play. But, it is only with those data feeds that organizations can move on to developing a security approach based on actual risk that can then be put into a business context.

As the saying goes, information is power. The more you know about the threat landscape and what is happening on your network, the better able you will be to reduce risk by proactively limiting the attack surface for hackers. 

 

Jason Clark is chief security and strategy officer at Accuvant.

This story, "Decoding threat intelligence" was originally published by CSO.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies