Threat intelligence leads to better, more informed decisionsJun 20th, 2019 Edit post
When used effectively, threat intelligence can give security teams a significant advantage, not only in terms of mitigating attacks, but in helping prevent attacks before they happen.
There’s no doubt that cyber threat intelligence is becoming a crucial link in the cyber security chain. When done properly, it can help security teams defend their organisations against adversaries that are more determined than ever. By scrutinising these adversaries and understanding their motives, strategies and tools, organisations can build stronger, more effective cyber defences.
But threat intelligence isn’t as well understood as it should be and CIOs don’t always grasp its benefits, says Adeshni Rohit, Business Unit Manager for Cisco at Axiz. “Sometimes, cyber security teams view it as a quick fix that will protect them from all threat actors, an unrealistic expectation given that there is no ‘silver bullet’ when it comes to cyber security. However, by equipping teams with the information needed to maximise prevention, detection and response, threat intelligence helps security teams remain one step ahead of their attackers.”
Remember, you can’t defend your organisation if you don’t know what threats you are facing, she says. “In every major data breach we have seen in recent years, the organisations that fell victim had large security budgets, and the best cyber security tools solutions that money could buy. They had top security teams in place, with skilled and experienced individuals, dedicated to protecting their data from malicious actors. They had all the necessary procedures and protocols in place. But they were still hit, and hit hard, losing the most personal information of tens of millions or more of their customers.”
According to her, it is clear that no business can rely on a traditional cyber security approach alone. “A report last year by Verizon revealed that a whopping 68% of data breaches take months to discover, lingering on the corporate network, moving laterally, performing reconnaissance and exfiltrating company data. Once this has happened, it is too late. Using security tools that tell the business a breach has happened is one thing, but being proactive and harnessing the power of cyber threat intelligence is better.”
The first major benefit, is that threat intelligence optimises prevention, and boosts the appropriate defences in the expectation of an attack. The right tools will employ technical indicators to block known bad IPs and URLs, and then threat feeds are automatically fed back into security tools to update blacklists, access control lists, as well as patterns or signatures. This integration of threat intelligence into gateways, intrusion detection systems, next-generation firewalls, as well as endpoints, greatly boosts the company’s ability to root out both emerging and known threats, and defend against them automatically.
One step ahead of this, is operational threat intelligence, which behaves more proactively, to help the organisation remain a step ahead of any bad actors. Operational threat intelligence supplies details about emerging threats too, by pinpointing, for example, which attackers or threat groups will probably target a business, as well as why and how these could happen. “Good threat intelligence can also help to identify other early warning signs that could indicate a new threat campaign is being formulated,” says Rohit.
In this way, security teams are forewarned, and can put the appropriate measures in place, including patching and updates, closing any security holes through which an attacker could crawl. By using threat intelligence reports to find out which threat actor groups employ which exploit kits or root kits, can help security teams patch any potential vulnerabilities. Another way they can prevent an attack by using operational threat intelligence, is to keep an eye out for the creation of attack infrastructures, which are clear indicators that a new attack campaign is being created, she explains.
Threat intelligence also accelerates detection time, adds Rohit. “Not too long ago, security teams would use threat intelligence to integrate and feed technical indicators into SIEM and endpoint detection and response solutions, to help them correlate and detect incidents faster, by removing the need for a product to be updated or new rules to be created, creation of new detection rules. However, today, threat hunting is now being employed to proactively search for traces of incidents as opposed to waiting for security products to recognise anomalous behaviours and raise a red flab. Operational threat intelligence helps threat hunting, but providing a deeper insight into who might be going after the enterprise and why, giving security teams a better idea of which artefacts and traces to keep an eye out for. Moreover, understanding what might be motivating the adversary, and what their goal is, will narrow down which systems are most likely in the attacker’s sight.”
In addition, threat intelligence plays a crucial role in incident prioritisation, investigation and response, by greatly reducing the number of alerts and false positives. Without this intelligence, the security team has to investigate way too many of these, and more frustratingly, with not enough context, leaving them with little idea which ones to focus on. Threat intelligence provides context and attribution, helping security teams prioritise responses and speed up investigations, allocating resources to where they are needed the most, separating the ‘wheat from the chaff’ as it were.
She says this is why Axiz partners with the best security vendors in the industry, to build ecosystems, to protect its customers most valuable data assets. “The right threat intelligence solution helps at a tactical level, by driving better security decisions, allowing the CISO to allocate resources and defences to where they are needed the most. More importantly, it can boot executive decision making, by helping them more accurately assess and measure the risk versus reward equation of possible outcomes, and then choosing the option that gives the business a lower risk, for a greater reward.”