It used to be the case that network defenders were always playing catch up and could never get ahead of the attackers. But that is no longer the case as threat intelligence is increasingly giving us a chance to get one step ahead.
Organisations are being hit day in, day out with attacks crafted to be unique. The threat is no longer automated code deployed by a teenage hacker or criminal gang building a botnet. Today’s adversaries are teams of professional hackers being paid, often by nation states, to carry out attacks on an industrial scale with specific targeting. These attackers are persistent and adapt to the bespoke topologies of a targeted network.
Threat intelligence is the latest buzz and has been heralded as a panacea to safeguard computer networks; except it isn’t. But while it will not predict or stop every attack, that’s not to say it can’t be incredibly useful.
Breaking it down
To understand what threat intelligence is we have to take a step back and understand what we mean by ‘threat’ and ‘intelligence’. In this context, a threat is simply a threat actor carrying out cyber attacks. Intelligence is not a science which predicts outcomes, but rather a barometer for what is probable, based on analysis of a situation. Imagine a dot-to-dot picture. Intelligence doesn’t draw all of the lines to make a clear picture, but it can give you enough of an idea to take some tactical or strategic steps and helps you to fill in the missing lines.
> See also: Big security: big data and the end of SIEM
Threat intelligence educates consumers on what is possible; what is affecting others; how threat actors behave; what data is most at risk and where to concentrate limited resources. Threat intelligence is not the solution but it is one important strand of a cyber security strategy.
There are three key pieces of work to conduct before an organisation can use threat intelligence to its maximum potential. Firstly, the organisation must understand what data it has of value and the consequences of losing it. This allows an organisation to be clear about what it should be protecting, because it is impossible to protect everything.
Next, the organisation must try to understand who they are protecting that data from. Not every company will be targeted by state sponsored hackers, criminals or hacktivist groups such as Anonymous, but understanding who the threat actors are will show whether you identified the right data in the first exercise. Lastly, an audit of the organisation’s ability to detect and respond to incidents and an assessment of technical risk will indicate the likelihood of attacks being successful. This work affects all of the business and not just the IT department.
Armed with this knowledge, the organisation can procure the right threat intelligence feed that focuses on the relevant threat actors and provides signatures to help detect attacks before they impact. The board can be briefed about the general overall threat and how activities in the business could heighten the likelihood of attack. Technical teams can be briefed on attacker tools, techniques and procedures so that protective monitoring and software patching can be performed more strategically to identify or mitigate malware. And finally, staff can be made aware of attacks to reduce the risk of compromises.
Return on investment
Investing in threat intelligence can have a very positive effect. The Ponemon Institute’s 2013 Cost of Cyber Crime study found the average cost to businesses of cyber crime is now more than $7 million per year, coupled with a rising number of successful attacks. The study also shows that companies which implemented security intelligence systems reduced costs by an average of $2 million.
Threat intelligence requires a mature view to cyber security, coordinated across the business and with senior level oversight. The organisation must recognise that there is a risk from data being targeted through cyber attacks and that there is no 100% effective method of protection.
> See also: Cybercrime: the scourge of the digital economy
Security breaches will happen and data will be lost – but hopefully not too often. The difference is how the organisation rises to this challenge; how it develops visibility of the traffic on its network and the software on its hosts; how it identifies and responds to incidents and whether it is able to get one step ahead of the attackers, even for just a moment!
Sourced from Mark Graham, head of threat intelligence, Context Information Security