Reduce Risk With Threat Intelligence

Uploaded on 2016-03-09 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

Do you want to be more proactive in managing risk?

Most professionals would answer that they would like less exposure to threats but often do not have sufficient time, knowledge or personnel to implement all factors that influence their risk profile.

Prior security events and incidents often allow security professionals opportunities to learn valuable lessons that impact their risk profile going forward. But, what is the risk if you don’t pay attention to knowledge learned from these previous events?

Other real world events can teach us important lessons in this regard. For example, if you drive off a 200-foot-cliff in a speeding automobile, and you ignored the sign indicating the cliff, then the outcome will very likely be significant physical harm.

If we paid attention to this sign and had knowledge of its meaning, then it would reduce our risk of injury. If we had the misfortune of this event, then our learned experience would teach us to avoid such pitfalls in the future. This is a fairly obvious example of paying attention to a sign and avoiding risk.

When is it harder to avoid such risk in a security world? It is usually due to a myriad of factors that have direct and indirect influence on the outcome. They introduce uncertainty in the outcome.

Why does risk reduction matter to security professionals?

To help explain why security is not just about the learning from past experiences but also very much about applying that knowledge to reduce risk, let us examine the term ‘Threat Intelligence’.

The term ‘Threat Intelligence’ is in common use in today’s security world. The term is used in many different contexts, often times ambiguously to justify something that has nothing to do with either intelligence or threat. It occurred to us that perhaps before we consider using such a term that it would be suitable to understand the meaning of the words.

Threat – The word has typically been defined as ‘an expression of intention to inflict evil, injury, or damage’ or ‘the possibility that something bad or harmful could happen’. In both of these definitions and uses of the word, it is clear that threat refers to a future event that has not yet occurred. It is also clear that it refers to an intention that is not certain. Being consistent with the definition and its use in language would suggest that threat applied to a security practice refers to ‘events that have not yet occurred’. How can one possibly protect against events that have not yet occurred?

Before we answer that question. Let’s look at Intelligence.
Intelligence – The word has typically been defined as “the ability to learn or understand or to deal with new or trying situations” or “the ability to apply knowledge to manipulate one’s environment or to think abstractly as measured by objective criteria (as tests)”. From this definition, the word Intelligence could be best understood to mean based on information of existing evidence or facts, applying that information to form knowledge to better your environment.

If we combine the words and their definitions, it would seem to suggest ‘threat’ is about future and ‘intelligence’ is about knowledge of the past. Therefore, “Threat Intelligence reduces risk when applied with scientific processes combined with knowledge and experience”.

So how does one use Threat Intelligence to reduce risk in security operations?
Start by asking yourself: “What are you trying to secure?” Given that there are many outcomes possible in the complex world of the Internet, you need to first of all consider the assets that are you are trying to secure from future threats.

Most professionals would suggest that they are not interested in improving security of a computer system or a network that they don’t own nor have direct use of. What if you use a service provider for cloud storage or compute services to your enterprise? Now you have to care about that provider’s services and their security exposure.

“Be clear on what scope you want to manage security risk for.”
Assuming that you have an understanding of the full scope you wish to protect, the next step is to consider what threats are relevant to that scope.

Here’s a simple example: If you are an automobile manufacturer, you are unlikely to care about a threat to the airline industry such as a bomb threat to aircraft. However, if a threat is constructed by a threat actor that attempts to attack all control systems used by manufacturing equipment that is used by both industries – then you at least have to consider the possibility that it has an impact on your future.

Does that mean you have to consider all threats regardless of source or target? No. But you have to at least consider the influence of that threat and its relevancy to your world.

“Relevancy of a threat to your world is a critical aspect of reducing risk exposure.”
Many factors influence relevancy. Is the threat source known? Is the target known? Are the protocols or behaviors being used by the threat in use in your environment? Does the threat discriminate or does it apply techniques that can broadly apply to many different environments?

First of all, threat sources are usually unknown when those sources are primarily human actors. Frequently, threat sources will deliberately obfuscate themselves and/or place blame on other actors. There are multiple reasons why threat sources want to remain anonymous. One reason is to avoid prosecution by law enforcement after an attack has occurred. In many cases, those attempting to detect threats are aided by knowing who is attacking as they can determine motives and targets. Detectors may also be aware of previously used threat source tactics and therefore can predict future behaviors more accurately, thereby increasing their security response. Therefore, there is strong justification by threat sources to avoid identification.

How much you can rely on the threat source being identified correctly and then being able to determine a response based on solely the source information is limited at best. Even if the threat source is accurately determined, if you are responsible for a reasonably large and complex environment, do you know what a specific threat intends to attack in your environment? How certain are you of that? What evidence do you have to support that prediction?

“Identifying a Threat Source has limited value to determining the relevancy or impact of a threat.”
Does the threat have a specific target? Does the threat attempt to cause harm to a specific domain or asset in your environment? A Distributed Denial-of-Service (DDoS) attack against your domain is obviously relevant. A data breach at your cloud payroll service provider is obviously relevant to you, but do you know the extent of the data breach? The relevance and impact of the breach depends on what data was stolen as well as were you the target or someone else that provider supports?

Threats can also be the outcome of non-malicious actions either by human or naturally occurring phenomena. A lightning strike to a vital power unit that provides perimeter security surveillance could result in a threat.

“Understanding the Threat Target can have significant influence on the relevancy of a threat.”
How does the threat manifest itself? Does it use protocols or behaviors that are in use in your environment? This question seems reasonably easy to answer to the layman.

Unfortunately it is not that easy. Most large enterprises struggle to keep abreast of all applications and systems in their environment. Most do not lock down the environment to stop new applications or systems from being introduced. Therefore, there are always new systems and applications that could (and are) legitimately be introduced without a security professional being consulted.

Due to the protocols and complex application interactions that occur on the global Internet, understanding and identifying threat behaviors that are applicable to your environment vs benign normal behavior is an extremely complex analytical task.

“Threat behaviors have significant value for threat relevancy but are extremely difficult to analyze and predict.”
Earlier in the text, we asked the question “How can one possibly protect against events that have not yet occurred? "

While there is no silver bullet, Threat Intelligence helps you reduce risk if used in combination with scientific processes that support your knowledge and experience.

LinkedIn Allan Thomson: http://bit.ly/1L7h9mi

Allan Thomson is Chief Technology Officer at LookingGlass Cyber Solutions Inc.  @LGScout

 

« Apple v FBI: The US Debates Privacy
Canada Cuts 5 Eye Intelligence Sharing »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Digitus Biometrics

Digitus Biometrics

Digitus Biometrics is a market leader in biometric access control. We can secure access to any entry point, from the front door to the server rack cabinet.

LogmeOnce

LogmeOnce

LogmeOnce provides users with solution to multiple Password problems, Single Sign-On (SSO), and Identity Management.

Bangladesh Association of Software & Information Services (BASIS)

Bangladesh Association of Software & Information Services (BASIS)

BASIS is the national trade body for Software & IT Enabled Service industry of Bangladesh.

Calero Software

Calero Software

Calero is a leading global provider of Communications and Cloud Lifecycle Management (CLM) solutions designed to simplify the management of voice, mobile and other unified communications services.

OCM Business Systems

OCM Business Systems

OCM are experts in the safe, secure and responsible disposal of IT & EPoS assets.

IdentityIQ

IdentityIQ

IdentityIQ is a US-based identity theft and credit protection company designed to help users stay on top identity thieves and data breaches.

PizzlySoft

PizzlySoft

PizzlySoft is a global company that is seeking convergence of network and security / software and hardware. We put our value on creating the best security.

Lifetech

Lifetech

Lifetech is a software development, product engineering and system integration company. Cybersecurity services include SIEM deployment and training.

Cybrella

Cybrella

Cybrella offers professional cybersecurity services for small to medium sized businesses and to larger enterprises looking to expand their cybersecurity capabilities.

DeNexus

DeNexus

DeNexus is the leading provider of cyber risk modeling for industrial networks. Our Mission is to build the Global Standard for Industrial Cyber Risk Quantification.

BlastWave

BlastWave

BlastWave’s BlastShield integrates three innovative products into a single solution to help prevent inadvertent and intentional attacks.

Metabase Q

Metabase Q

Metabase Q protects you from financial and reputational losses with more efficient and intelligent cybersecurity, using the best worldwide in technologies, processes and specialists.

MLSecOps Community

MLSecOps Community

The MLSecOps Community is a collaborative space for machine learning security experts and industry leaders to connect and shape the future of AI/ML security.

Cybercentry

Cybercentry

Cybercentry is a specialist information security, data protection and cyber security consultancy.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

Techtron Business IT Services

Techtron Business IT Services

TECHTRON has been providing business IT services since 2004. Our focus is on SMBs and we are good at it. Our customers trust us, they love our high levels of service, and they love what we stand for.