Cyber risk is growing while confidence in internal defense resilience declining. According to Microsoft’s 2019 Global Cyber Risk Perception Survey, cyber security is a top 5 business concern for 79% of companies globally (and the top risk for 22% surveyed).
Threat intelligence (TI) is a critical component of your cybersecurity program, the defenses that mitigate cyber risk and help avoid potentially damaging incidents. For smaller businesses, this may be managed by an MSSP, but for larger enterprises, custom TI and management is a must.
What is threat intelligence?
Threat intelligence is, at its core, a collection of tagged and augmented data that can identify potential threats such as malware, ransomware, phishing attempts, botnets, cryptominers, etc. These are databased, monitored and contextually-enriched with relevant data such as IPs, URLs, system vulnerabilities targeted, implications of attack, and patterns of behaviour.
Armed with this information, your organization is able to detect incoming potential threats, set alerts and blocking, as well as engage in threat hunting activities. With a clever solution, TI is integrated with automated processes and machine learning, so analysts spend less time doing manual configuration and more time developing advanced analysis of incoming data and determining new undocumented threats. Data from external sources must seamlessly integrate into your security platforms and tools. If you can’t use it in an automated fashion, it will not likely be very helpful to your efforts.
In The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey, 81% of respondents indicated that CTI had improved their security and response.
Why do organizations need threat intelligence?
Every day there are new threats released into the wild. Some may be obvious and/or simple to defeat; perhaps the ‘spray and pray’ type designed to impact personal data and systems which are easily detected by current organizational firewalls and network security mechanisms. Others can pose serious threats to organizational systems and data, and may even be directly targeting a particular industry, or worse still, your business itself.
Your organization needs real-time, accurate TI to give it the best chance at deflecting attacks.
Threat intelligence can help:
â— Identify new threats targeting your business or industry
â— Engage in threat hunting activities
â— Decrease incident response time
â— Prevent access to malicious resources on the Internet
â— Avoid penalties and reputational losses from data exfiltration and breaches
â— Identify system vulnerabilities
â— Identify compromised systems
â— Reduce unplanned down times
What do organizations do with threat intelligence?
TI is highly useful for cyber incident response. As per SANS Incident Handler’s Handbook, this process involves planning, identification, containment, eradication, recovery, and lessons learned.
It is also used at the identification and containment stages; incoming threats are identified, prioritized according to determined level of threat, then contained as necessary. Threats that do slip through the system can be shared with the wider community during lessons learned to keep everyone’s business healthy.
A well-functioning TIP / SIEM / SOAR and security team are both essential to ensuring threat intelligence is useful, timely, and prevents incidents. Alone, it is just one part of the process – and is only as useful as the infrastructure supporting it. It should easily integrate into your current SIEM and/or other platforms to save your security professionals’ time building out scripts to ingest data feeds.
Threat intelligence types and streams
From the SANS survey, there are four main types of threat intelligence:
â— Indicators of Compromise a.k.a. IOCs (e.g. URLs, command & control centers, IP addresses, newly registered domains, etc)
â— Threat behaviors, tactics, and procedures
â— Digital footprint
â— Strategic analysis of adversary
There are also a number of streams through which we can gather TI:
â— Feeds from threat intelligence vendors
â— Internally gathered information
â— Community group feeds (ISACs, for example)
â— Free feeds from security vendors
â— Media reports
â— Open source (or non-commercial) feeds
While everyone loves a freebie, open source and free feeds aren’t usually the best route to go down. The information they provide may be outdated, duplicated and/or need filtering and reformatting. Threat intelligence vendors such as Malware Patrol continuously process threat intelligence data drawn from internal and external sources to ensure it’s up-to-date, vetted, well-formatted, contextualized and enriched, before releasing it to customers.
Malware Patrol has been collecting threat data for over 15 years. Contact us to request a free evaluation of our services and to learn how our feeds and packages can be tailored to your business requirements.
Andre Correa
CEO, Malware Patrol