Why is everyone talking about it?
There is a disturbing trend that has developed over the last few years – cyber attackers are innovating much faster than the security defenders. Just about anything and everything is a potential attack vector. Nowadays, attack kits and botnets are available on various underground forums for anyone to rent or purchase and perpetrate a variety of attacks including sending spams or launching DDoS attacks. There are attackers who reuse malware and command and control methods and protocols, adapting their “products” over time to keep ahead of the anti malware industry and security professionals. However, with cyber attacks on the rise, there is always a chance that some organization has seen a similar attack earlier. Besides, not all threats are created equally or would have the same impact on an organization, if successful.
In these trying times, when there is money, time and resource crunch to defend against every possible scenario, it is important for companies to be aware of all possible potential threats.
The rationale behind threat intelligence is to provide the ability to recognize and act upon indicators of attack scenarios in a timely manner. Organizations that invest in threat intelligence and understand which threats are most credible or imminent are a step ahead since threat intelligence allows those companies to dedicate security resources to strengthen the security posture against ‘most likely to occur’ attacks.
Defining threat intelligence:
Threat intelligence, one of the hottest terminologies in the cyber security business, is a combination of technical and contextual information regarding existing or emerging threats from all possible sources.
Threat intelligence’s primary purpose is to help an organization understand the risks and implications associated with potential threats in order to make better decisions regarding the safety of their customer, employees and intellectual property. However, like many cyber-related terms, there are no standard definitions. Threat intelligence can mean different things to different people. For some, threat intelligence is the collection of technical indicators of compromise (IOC). These IOCs are data points that if observed within a networked enterprise, usually but not always signify that there is a compromise. Typical IOCs include malicious URLs, IP addresses, virus signatures, MD5 hashes used by hostile actors.
An example of understanding a potential threat behavior includes knowing whether potential attackers send emails with a zip file on the bottom or always start their emails with “Dear Sir or Madam.” Do they always misspell a certain word or are they always asking for the same precise part of information? When gathered methodically, such intelligence makes future threats more identifiable and quickly categorized.
Cyber threat intelligence, when used correctly, can help threat defenders detect attacks during and ideally before an attack by providing indicators of actions taken during every stage of the attack.
Threat intelligence can ideally help solve the following problems:
- How can one be kept updated on the overwhelming amount of information on security threats including vulnerabilities, bad actors, targets, methods etc.?
- How can one be more proactive about future security threats?
- How can one inform business /organization leaders about the potential dangers and repercussions of specific security threats?
The threat landscape, where threats can come from both internal and external sources, is always changing and the business risks keep increasing because of high dependence on IT systems. The entire process involved in an advanced threat scenario results in questions like: “Which players are targeting us?” “What kind of methods are they using?” and “Which systems are looking at infecting?” Understanding the mind and methods of threat actors and how to prevent or detect potential attacks can help immensely when shaping policies and actions of any organization.
Though information in the form of raw data is available abundantly, it is time-consuming to get meaningful information based on which proactive measures can be set. It is important to get users involved towards threat intelligence as it helps in prioritizing threats within the deluge of data, alerts and attacks and helps provide actionable information.
So how does one go about it?
As long as security threats and cracks in the system occur, every business will look for ways to protect their data as they are under tremendous pressure to manage threat scenarios. However, most organizations are not yet mature at gathering or using cyber threat intelligence. Attackers constantly change their methods to challenge security systems. It becomes unavoidable for organizations to get threat intelligence from a variety of sources and IT security professionals must operate under the assumed breach mentality. Comparing monitored traffic against known bad actors sourced from threat intelligence reports can help in identifying planned malicious activities.
It is important to have an IT security solution that provides threat intelligence capabilities to manage these attacks by being both proactive and responsive. Ideally the solution should be able to provide true intelligence /insights and help locate the bad guys.
However, integrating threat intelligence and responding to attacks is not enough to combat the ever-changing threat landscape. One needs to analyze the situation and determine threats likely to be faced, based on which one can come up with precautionary measures.
A concise list of several best practices that can be followed includes:
- An application white list and black list. This helps in preventing execution of malicious or unapproved programs
- Careful checking of logs to see if an attempted attack was an isolated event or if the vulnerability had been exploited before
- Determining what was changed in the attempted attack
- Diligent auditing of logs and identifying why this incident happened – reasons could range from system vulnerability to an out-of-date driver
Increasingly, companies have started realizing the potential benefits and importance of investing in threat intelligence. In addition to investing in the right technologies and solutions, organizations need to recognize the importance of having the in-house expertise to effectively use, gather and analyze the threat intelligence that they receive.
One can conclude that threat intelligence is here to stay and is evolving towards a mature and important practice. More tools are integrating cyber thereat intelligence feeds and data and teams can currently see improvements in detection and response capabilities. Organizations must consider adopting the following practices: monitoring the good and bad IPs, URLs, files and mobile apps that are related to an unknown object in order to predict if they pose a security risk and continually monitor and track any changes in real time to achieve a stronger security posture. Combining these approaches with experienced staff and the appropriate technologies will increase an organization’s ability to minimize or prevent a serious security lapse.
Mahendra is a former Happiest Mind and this content was created and published during his tenure.