Getting Threat Intelligence Right

Uploaded on 2017-06-26 in FREE TO VIEW, NEWS-News Analysis

Threat intelligence feeds provide valuable information to help identify incidents quickly, but only if they are part of an intelligence-driven security programme

When shoppers went about their usual routine at two malls in the heart of Singapore last month, they were greeted with an unexpected message that popped up on the stores’ digital directories.

The message came from the cyber criminals behind the unprecedented WannaCry ransomware attack, demanding $300 worth of bitcoin payments to unlock the files on systems that powered the store directories.

Although the local supplier of the malls’ digital directories fixed the problem promptly, such ransomware attacks, which could embarrass businesses and cause inconvenience for customers, could be averted with good cyber hygiene, and some help from threat intelligence feeds.

In the wake of the WannaCry attack, threat intelligence feeds are essential to alert security analysts to threats that are proliferating but have yet to infiltrate company networks, says Charles Lim, industry principal at Frost and Sullivan’s cyber security practice in the Asia-Pacific (APAC) region.

Threat intelligence feeds may include data such as IP blacklists, malware hashes and signatures, malicious and phishing URLs, vulnerability lists, indicators of compromise (IOCs) such as IP addresses that suggest a breach has occurred, and command and control (C2) domains that are used to orchestrate attacks.

These data points are typically consolidated by security information and event management (SIEM) and intrusion monitoring systems, and could provide insights into the possible identities of attackers, the methods they are using and the systems they are targeting.

This is especially useful in situations such as the WannaCry attack, where security teams do not always have the time and resources to constantly identify emerging threats and implement appropriate safeguards, says Peter Sparkes, senior director of cyber security services at Symantec Asia Pacific and Japan.

According to Symantec, the biggest users of intelligence feeds in APAC are Australia, Singapore and Japan, mostly organisations in the financial services and government sectors.

That should come as no surprise given that finance, insurance and real estate are among the most targeted industries, according to Symantec’s latest Internet Security Threat Report.

While threat intelligence feeds provide valuable information to help identify incidents quickly across an enterprise, they are generally based on known, observed information.

Much of today’s threat intelligence is supplied as IOCs, essentially fingerprints of known attacks or attackers, says Kane Lightowler, managing director of Carbon Black in Asia Pacific and Japan. “IOCs may provide great value against previously observed attacks, but offer limited insights on new attacks and attack methodologies.”

Sparkes agrees, noting that intelligence feeds require a “patient zero”, the first organisation or person to see the attack and record the IOCs before others can benefit from it.

Lightowler says patterns of attack are more effective against both known and unknown threats because they focus on the actual behaviour and techniques of the attacker, rather than fingerprints. Regardless of the type of threat, intelligence can be very valuable if it is actionable in near real time.

“Threat intelligence is time-sensitive, so the value of information depreciates once it is published,” says George Lee, senior director at RSA Asia Pacific and Japan. “The flip side is, you never know whether the bad guys also subscribe to the same threat intelligence as you do, so they may change their tools, techniques and tactics to stay below the radar.”

To improve the efficacy of intelligence feeds and detect new threats, threat intelligence suppliers rely on a variety of sources. For example, FireEye not only gathers threat-related data from sensors on the internet, but also collects threat information from incident response teams at its Mandiant subsidiary that works with companies to investigate security breaches.

“We can see the tactics, techniques and procedures undertaken by the bad guys once they get on target,” says Tim Wellsmore, director of threat intelligence at FireEye. “We also have teams that engage with the bad guys on the darknet, and we will overlay all that intelligence with what we’ve been getting through our sensors and incident response teams.”

Context and integration critical

Organisations are more likely to get the most out of intelligence feeds if they can establish context around the data they are receiving.

“Feeds should not be something that you line up and fire into an organisation,” says Wellsmore. “People who did that in the past became overloaded with data and still did not know what their threat environment really looked like.”

In fact, Wellsmore contends that intelligence feeds are really just data feeds, and that intelligence arises only when an organisation can ascertain threats specific to its operating environment.

While traditional definitions of threat intelligence are limited to classic network and IT security, a broader, more modern perspective looks at an organisation’s total attack surface and all areas of risk to the business, says James Carnall, vice-president of the cyber security centre at LookingGlass.

That means taking into account the organisation’s industry, location, software and network particulars, vulnerabilities, physical threats to employees and executives, as well as reputational and political risks, brands and trademarks, and customer goodwill.
 
At the end of the day, an actionable intelligence feed needs to lead to some action, whether it is a change in security posture, handling of traffic, updates to policies, reduction in risk, countering an attack or other measurable, reportable business value.

“Data with analysis and context becomes actionable information, and once it is actually able to be acted upon, only then does it become intelligence,” says Carnall.

According to Carnall, the integration, interpretation and implementation of a complete intelligence-driven security programme is key to giving threat intelligence value.

But this is not easy to achieve, because many organisations face constraints on budget, tools, knowledge and specialised talent, which are in high demand and short supply.

“The heterogeneity of formats and particulars also make integration a huge pain for many of our clients, although Stix 2.0, CyBox and other standards are attempting to address this,” Carnall adds.

Sim Beng Hai, technical sales manager for Eset Asia Pacific, advises organisations to standardise their threat intelligence on Stix, an XML format for conveying data about cyber security threats in a common language that can be easily understood by humans and security technologies.

Standards aside, Carnall says organisations should consider the goals they want to achieve when integrating threat intelligence into security processes.

For example, if the goal is to defend a network, then high-fidelity indicators, clear risk-scoring schemes and orchestration software could be used to set dynamic blocking or traffic rules on the network, in as close to real time as possible. “This is where IPs, domains and full-path URLs go into your gateways and the like to mitigate tactical threats,” he says.

When done right, threat intelligence can throw attackers off course. “If proper orchestration is also in place, mitigation enabled in the network fabric can then block, sinkhole, or even modify the traffic being sent back to the attacker to stop data loss before it happens or even mislead the attacker through intentional misinformation,” says Carnall.

Computer Weekly:

You Might Also Read:

Cyber Security Insurance Underwriters Demand their Clients Understand the Threat Landscape (£):

Threat Intelligence Is a Two-Way Street:

 

« Cybersecurity Threats Are Changing Recruitment
Czechs Must Get Ready for Offensive Cyberwar »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Ammune.ai

Ammune.ai

Ammune.ai (formerly L7 Defense) helps organizations to protect their infrastructure, applications, customers, employees, and partners against the growing risk of API-borne attacks.

NATO Communications and Information Agency (NCIA)

NATO Communications and Information Agency (NCIA)

The NCIA Cyber Security Service Line is responsible for planning and executing all life cycle management activities for cyber security.

Lynx Technology Partners

Lynx Technology Partners

Lynx Technology Partners is a full service, full life-cycle risk-based security consulting firm.

Automox

Automox

Remediate vulnerabilities 30X faster than the industry norm – and dramatically reduce your risk with simple, fast, and cloud-native endpoint hardening from Automox.

British Security Industry Association - CySPAG

British Security Industry Association - CySPAG

CySPAG is a special interest group within the British Security Industry Association (BSIA) focused on reducing the risk of product related cybercrime.

Breadcrumb Cybersecurity

Breadcrumb Cybersecurity

Breadcrumb Cybersecurity is a cybersecurity and advisory firm. We specialize in penetration testing, threat hunting, incident response, regulatory compliance, and employee training services.

Jamf

Jamf

Jamf is the only Apple Enterprise Management solution of scale that remotely connects, manages and protects Apple users, devices and services.

Sunartek Labs

Sunartek Labs

Sunartek are equipped with expert resources and advanced technology to identify cyber threats and prevent any breach, bypassing the security network of your organization.

Cider Security

Cider Security

Cider Security - It’s time to revolutionize the way Security, Dev and DevOps teams work together to supercharge security at the speed of engineering.

Iris Powered by Generali

Iris Powered by Generali

Iris Powered by Generali is an identity theft resolution provider. Our offering combines expert assistance and support with user-friendly identity protection technology.

Vanta

Vanta

Vanta helps companies scale security practices and automate compliance for the industry’s most sought after standards - SOC 2, ISO 27001, HIPAA, GDPR, and other security and privacy frameworks.

RAND Corporation

RAND Corporation

The RAND Corporation is a non-profit institution that helps improve policy and decision making through research and analysis.

Data Pie Cybersecurity

Data Pie Cybersecurity

The Data Pie Cybersecurity Consulting offers a 360° around protection for your IT security. Security awareness solutions and consulting.

Mitigo Group

Mitigo Group

Mitigo offers a well considered and effective approach to keeping businesses completely secure from any digital attacks.

Liquis Inc.

Liquis Inc.

Liquis, founded in 2002, is one of the largest facility decommissioning services companies in the U.S.

2021.AI

2021.AI

2021.AI serves the growing business need for full oversight and management of applied AI.