IT Focus Area: Security
December 5, 2017
Optimizing the Impact of Threat Intelligence
Today’s threat landscape is overwhelming. Security teams are struggling just to keep up, let alone get ahead of the rapidly evolving attackers targeting them. Enterprises in all industries have become targets, and most are not adequately prepared to defend themselves against any sort of sophisticated onslaught.
Anticipating attacks and those who perpetrate them enables one of the best forms of defense. To proactively counter cyber adversaries, you need to understand their motivations, intentions, and methods. Threat intelligence is key.
The Value of Threat Intelligence
Threat intelligence allows organizations to arm themselves with the tactical, operational and strategic insights they need to develop a holistic picture of how they are being targeted and by whom, and shift from reactively defending against to proactively preventing attacks.
For the security practitioner, threat intelligence facilitates prioritization of tactical alert triage. Organizations typically receive thousands of alerts a day, leading them to spend an inordinate amount of time investigating what turns out to be noise from false negatives and false positives. Threat intelligence enriches the outputs organizations receive through their technologies, enabling analysts to effectively prioritize alerts so they can deal with the ones that really matter, and deal with them more quickly.
Threat intelligence can also help patch managers prioritize the most serious security patches. Vulnerability vendors continue to put out vulnerability warnings that are overly weighted to high and critical severity, making it very difficult to determine where to start patching, and how fast. Leveraging intelligence allows not only a clearer picture of technical severity, but also helps analysts associate a vulnerability with the threat actors that are using it. With insight into the likelihood a vulnerability will be exploited, rather than patching indiscriminately — patching as much as you can, as fast as possible — organizations can intelligently triage and prioritize the vulnerabilities that are being actively used by specific actors, especially against organizations like theirs.
On the operational side, threat intelligence engenders awareness and adds context. It can supply in-depth knowledge of the global adversary space — including specific threat actors and their motivations, intents and tactics, and the malware and other malicious technologies including the infrastructure that they build and employ. This knowledge empowers security operations by allowing analysts to dig deeper in understanding what might be going on in their networks.
For example, three separate alerts may indicate the use of different malware; with the right intelligence, they can be identified as originating from a single, highly motivated adversary who is using three different tactics at once. By connecting the dots between seemingly disparate events, they can make faster and better-informed determinations for further exploration and remediation. In this vein, leveraging the connection to attribution as a representative construct for the adversary is valuable. Knowing the personal identity of an individual, group or nation that is targeting you generally doesn’t really matter; very few organizations are in a position to go after these adversaries. Even so, attribution can connect an adversary’s methods together, allowing us to better defend against them.
Intelligence also promotes threat hunting. Once analysts are armed with information about the adversaries targeting their organization or others like it, they can proactively look for their activities on their networks. By shifting security teams from reactive to proactive, even if an adversary gets in, detection and response can be accelerated, reducing the mean time to resolution (MTTR).
From a strategic perspective, understanding who is targeting your organization enables you to make security investments intelligently. In the past, companies tended to throw technology against the wall and see what stuck. Today, establishing an understanding of threats is critical to making the investments necessary to establish an effective defense. For example, in a commercial business, the board doesn’t really care about technology — they care about threats to the actual business, especially because security is now among their top concerns. Being able to frame security to a group of leaders in terms of risk, educating them about adversaries, what they are likely to do in the future, how others in the industry and region are being similarly targeted, and then connecting all that back to the impact on the organization’s critical assets in the event of a successful attack helps leaders envision the return on investing in security.
Optimizing the Impact
Threat intelligence takes many forms, and its value varies extensively. Organizations often start by wanting to leverage the most comprehensive amount of intelligence as possible, and will start gathering as much raw data as they can. Unfortunately, focusing on quantity instead of quality ultimately translates into lack of value to the business. It is important to take a more strategic view, and focus your initial efforts on what most applies to your organization. Lack of attention to scale is another concern; new teams often fail to consider the complexities of ingesting intelligence in an automated way, so they can connect it to their security technologies and analyze the intelligence and outputs as they relate to their environment.
Without a sound process for leveraging threat intelligence, the chances of deriving actionable information and value are slim. There are five key steps to optimizing your approach:
1 EVALUATE YOUR THREAT ENVIRONMENT. Whether you’ve been compromised in the past or not, you’ll need to understand who is targeting you. Threat assessment services can help; providers evaluate the adversary space to develop an accurate picture of the threats and malicious actors that apply to you, your industry, and your geography.
2 THINK LIKE AN ADVERSARY. Sit down with your security team and think about the organization’s centers of gravity, the primary infrastructures and processes that allow that organization to operate. Security executives need to understand what is of most importance to the business. For example, if a manufacturing plant is producing a key product and a great deal of money is lost per minute when it goes down, you’ll want to focus on that asset, the processes around it, and consider how you would go after it if you were an adversary. As you iterate ideas for how adversaries might target that asset, you can begin to explore countermeasures to identify and ideally prevent those types of attacks.
3 WORK WITH INDUSTRY GROUPS. Free and closed-source community intelligence shared by various industry and vertical groups (e.g. FS-ISAC, R-CISC and ICS-ISAC) as well as by some governments can help you understand the current state in terms of adversary activity against your industry and geography.
4 ENSURE FUNDAMENTALS ARE IN PLACE. Before you can truly leverage an understanding of your threat environment, security fundamentals need to be in place. Organizations need the right resources to see and stop adversaries before they can establish sophisticated analytics connected to the context they need. Consider the following questions:
- What countermeasures do you have in your environment, and are they broad and deep enough to identify focused attackers? When was the last time your technology was checked or updated?
- Do you have the understanding you need into your business activities and the assets supporting those activities that are most likely to be targeted?
- Do you have modern security controls? Can they ingest and display intelligence delivered in a variety of formats (XML, CSV, and JSON) in the form of indicators, tags, labels, text, and reports?
The NIST Cybersecurity Framework and special publications on security and privacy controls as well as the Critical Security Controls (CSC) for Effective Cyber Defense (often referred to as the SANS Top 20) can assist you in establishing a strong foundation.
5 CONSIDER PROVIDERS. Building a mature, in-house threat intelligence capability isn’t easy. Most companies don’t have the funding to build out their own intelligence team. Additionally, the market globally is saturated with the need for qualified analysts, and there’s simply not enough talent. In the absence of skilled personnel, trying to create the most relevant threat intelligence is a huge challenge. Rather than starting out by trying to build your own team, it may be best to dip your foot in with a provider that has the right presence in your geography and industry, get a firm understanding of what’s valuable to the organization, and explore what you can do internally from there. There are vendors that provide insight via “deep” and “dark” web monitoring, threat indicator investigation and response, threat actor tracking, and analyst augmentation, to name a few. Most have a specific slant — such as on data, indicators, malware, analysis, specific regions — whereas vendors with the most actionable intel leverage a nuanced understanding of the different types of threat actors and how they operate. Consider your use cases when evaluating providers, and align with their specialties.
Positioning Your Team for Success
In order to build an effective cybersecurity strategy, you have to understand threats to your organization. Threat intelligence provides a way for organizations to get the tactical, operational and strategic insights they need to understand how they are being targeted, and invest wisely in the right set of countermeasures to prevent those attacks. While implementing an intelligence-led security program may seem difficult, the right approach can position your team for success, and turn threat intelligence into a powerful tool for responding to, remediating, and ultimately anticipating and preventing threats to your business.