By Ajay Singh, Author of CyberStrong! A Primer on Cyber Risk Management for Business Managers
Being forewarned is being forearmed
The value of intelligence in military and police operations is considered highly since it provides advanced knowledge of strategies, tactics, approaches, and even weaknesses of threat actors. This is also true in cybersecurity, as prior knowledge of possible threats or dangers could enable organizations to better prepare their defenses and ward off cyber-attacks. Organizations can adopt an ‘active defense’ strategy by using threat intelligence as a part of their overall cybersecurity program that can help them to adopt a proactive stance and strengthen their security posture
The scope of threat intelligence gathering comprises analyzing information from within and outside the organization to identify potential weaknesses, combining it with information regarding existing and potential cyber threats from external sources, and using insights to boost defenses, thwart attacks and mitigate any kind of harm.
Sources of Threat Intelligence
There are various sources from which raw cyber intelligence can be collated before subjecting it to further analysis for converting into actionable intelligence. These sources include Open-Source Intelligence (OSINT), Signal Intelligence (SIGINT), Geospatial Intelligence (GEOINT), Social Media Intelligence (SOCMINT), and Human Intelligence (HUMINT).
At an operational level, security analysts and teams can gather internal intelligence through the deployment of a Security Information & Event Management (SIEM) solution which enables collating of data from user, network, and traffic logs. Using this as well as information from past incidents or threats they can identify weaknesses and security gaps on an ongoing basis. External sources of intelligence include sources such as the FBI InfraGard portal, the Department of Homeland Security: Automated Indicator Sharing, VirusTotal, SANS Internet Storm Center, Google safe browsing, Spamhaus, and many more. All these sources regularly provide information about ongoing threats, vulnerabilities, and information about activities of cybercriminals and the overall current cyber threat landscape. In addition, there are sources such as MITRE ATT&CK, which is the world’s biggest knowledge repository of Tactics, Techniques, and Procedures (TTPs) adopted by hackers that could be the source of valuable threat intelligence inputs.
Operationalizing threat intelligence also entails the use of threat hunting which is a complex process that involves proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. This is distinct from traditional threat management, which uses firewalls, intrusion detection systems (IDS), antivirus, and other such systems that involve an investigation of evidence-based data after there has been a warning of a potential threat. Threat hunting involves a security analyst, or a team of analysts scrutinizing and analyzing the information gathered to develop a hypothesis or insights based on their organization’s context and their own threat perceptions. Security analysts typically use manual or semi-automated systems in developing a hypothetic threat scenario to develop actionable intelligence related to potential risks. The analyst then investigates these potential risks, tracking dubious behavior in the network. Thus, hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis. The intelligence development activity requires an understanding of Tactics, Techniques, and Procedures (TTPs) of adversaries, indicators of compromise that represent adversary actions that already happened, and indicators of concern that represent their findings from threat hunting or other intelligence gathering techniques. Security Analysts typically develop the following types of threat intelligence:
- Strategic Threat Intelligence is high-level intelligence regarding potential risks that can help business leaders take decisions related to long- and medium-term security issues.
- Tactical Threat Intelligence represents actionable intelligence that can help IT managers, security personnel, system administrators, and architects to undertake security-related actions such as patching vulnerable systems, limiting system access, bug fixing, etc.
- Operational Threat Intelligence comprises threat intelligence collected from sources like people, social media, security publications, communities, bulletin boards, chat rooms, and also from current world affairs and events that can serve as warnings of emerging attacks.
- Technical Threat Intelligence is related to information about an attacker’s resources that are used to perform the attack. This includes tools deployed, the malware used, command and control channels, etc.
The Threat Intelligence Cycle
A typical threat intelligence cycle involves the following five basic steps to understand a threat actor’s motives, targets, and attack behaviors.
- Setting the scope, objectives, team, and processes
- Identifying sources of intelligence data and setting up gathering mechanisms and tools
- Contextualizing, correlating, and analyzing data and events
- Producing actionable threat intelligence
- Dissemination and feedback
The Power of Cyber Threat Intelligence
Given the increasing frequency of cyber-attacks and their many undesirable consequences, organizations will be better off by powering their cybersecurity programs with threat intelligence that can be predictive and anticipatory rather than rely on security mechanisms that are rooted in the past. Organizations can set up their own intelligence teams or take the help of external professional threat intelligence companies to bolster their cybersecurity and derive the following other benefits:
- Adopt a dynamic and agile approach to cybersecurity as opposed to a static and reactive one
- Improve vulnerability management and reduce the attack surface
- Identify compromised users or systems before they are exploited
- Unearth hidden/unknown threats or attacks
- Thwart potential cyber-attacks that could lead to data breaches, financial losses, loss of reputation, regulatory fines, etc. through early intervention
To take their cybersecurity to the next level, organizations can move from a passive and reactive approach to one that harnesses the power of threat intelligence and enables them to continuously evaluate their own internal security controls and mechanisms and combine this with knowledge of adversary motivations, activities, and actions to keep them better prepared to face cyber threats and attacks. In the words of Sun Zu, the renowned Chinese general and military strategist who wrote in his book The Art of War that “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” The power of cyber threat intelligence may just give you that extra edge needed to stay secure in an increasingly hostile cyber threat environment.