You may wish you had a crystal ball to see what cyber threats are headed your way, but there’s something far more reliable. Threat intelligence provides you with true evidence of current-day threats that have already been spotted hitting organizations like yours, giving you time to prepare your defenses and block oncoming attacks. Although you’ll never be able to block all cyberattacks, when you know of those that are already targeting your industry or location, and when you have clear directions on how to block those threats, you have a far better chance of preventing attackers from entering your network. In the event that attackers still get inside your network or knock it offline, you’ll be far quicker in getting back online, eradicating the threat and closing any “backdoors” so that damage is minimal and the attackers can’t return.
In the past year, threat intelligence has gained momentum in media and security communities, but many are using the term synonymously with “threat information.” Threat intelligence is not the same as threat information. Although many people believe the discrepancy is just a case of “you say to-may-toes and I say to-mah-toes,” calling “threat information” “threat intelligence” is like calling “apple cider” “apple vinegar.” They are two distinct ingredients that beget two different outcomes.
By itself, threat information can come from industry organizations, government organizations or security companies. When a company receives this huge dump of information, it must then analyze it to determine whether the threats are relevant to its network. Few organizations have someone in house who is experienced enough to categorize and analyze the threats and the knowledge to know what action to take to block the threats. By the time your analyst team has sorted through the information, it’s likely outdated as new threat information floods your inbox daily. It takes an analyst a lot of time to decipher who the opposition likely is, what type of weapons it using, how it normally strikes – such as via spearphishing, watering hole attacks or SQL injections – and what type of information it is after. As if your IT team doesn’t have enough alarms going off that it needs to pay attention to, now it has about a thousand more and it must distinguish which of that information may be relevant.
What Do You Know?
When threats may be headed your way, you have to act fast. In just hours, threat actors can go from speaking ill of your organization to planning a full-force attack on your network to attacking it. Organizations need to know how well equipped they are to defend their networks from attacks, who their attackers are and how they fight in order to win their battles. Just as military leaders want to know the intentions of their opponents so they can make wise strategic decisions, cyber warriors need to know the intent of their enemies. “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” — Sun Tzu “The Art of War”
Gartner describes threat intelligence as “evidence-based knowledge — including context, mechanisms, indicators, implications and actionable advice - about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject's response to that menace or hazard.” Evidence-based knowledge means that the information comes from proven research where this type of behavior has been seen before, and the outcome was not good. “Context” means that the information must be looked at as a whole picture. For example, one knock on a door may mean nothing, but one knock coming from a specific IP address with a specific message may indicate this person knocking at your network could be an attacker. “Mechanisms” refers to the method of infection. For example, an attacker may use a SQL injection to exploit a vulnerability or may use a phishing attack to infect an employee’s computer. Indicators refer to signs that something bad may be going on in your network. “Implications” refers to the conclusion that can be drawn from the gathered information.
How to Choose a Threat Intelligence Supplier
Threat intelligence can help your company block and quickly overcome the threats that rip through other companies. There are many types of companies that supply threat intelligence, so there are a few things you should look for:
- A global view of the threat landscape – When security teams are monitoring thousands of companies around the world, they see patterns. They recognize what types of organizations are being attacked, how the attackers are breaking into networks and what type of malware they are using. Once security experts understand the attacks, they can share ways to block the attacks.
- Knowledge of the latest threats seen from conducting incident response engagements – Companies that don’t have a monitoring service that also blocks threats are more likely to be affected by attacks and have a security incident. When Incident Responders arrive on the scene, they not only see threats that have not yet been discovered by security researchers, they often see the same threats time again in different networks. Studying these threats and sharing them with security researchers, responders and analysts gain knowledge of the tactics, techniques and procedures of the attackers. All that information makes great threat intelligence. For example, when responders see where in a network a certain type of malware is hiding, as well as what other malware is in the network and where those pieces are also hiding, and when they see where the “backdoors” are that attackers create so that they can later re-enter a network in case their malware gets quarantined, the responders see patterns in the ways the attacks come. The responders can also see where the malware is communicating back to, often giving them information on the location of the attackers’ command and control servers. When responders share information with the teams that are monitoring networks and creating signatures to block malware, as well as with teams that provide threat intelligence, they have a near 360-degree view of cyberspace. Once they know how these attacks work, they know what organizations need to do to block the attacks. That is the key to threat intelligence: knowing what threats are likely to hit your organization and what you should do to block them.
- Information on how to block oncoming threats – Threat intelligence should give guidance on ways to block the threats, such as changing your firewall rules or email rules, or blocking off a specific port.
Threat Intelligence at Play
So how has threat intelligence actually protected organizations? Let’s look at one attack that has received a lot of press in the past year. The ransom malware Cryptolocker was first observed by a security company in 2013, long before it had extorted nearly $3 million from victims. The malware was being sent to computer users via emails that seemed to be coming from legitimate companies. When unsuspecting users would click on the email attachment, it would automatically download Cryptolocker and then a pop-up window said something similar to this: “All your personal files are encrypted! So are your photos, videos and files on drivers your computer connects to. To decrypt the files, you need to obtain a private key by paying $300, payable with MoneyPak, which can be obtained at a variety of retail stores.” Thousands of organizations either lost their files or paid ransom money. Those organizations that had threat intelligence, however, had been informed in advance what action to take to block it.
With threat intelligence you become proactive rather than reactive, and you can make your move before the enemy strikes. No matter what you call threat intelligence or how you pronounce it, it needs to provide you with information on how to block the threats. Otherwise, better call the whole thing off.
Jeff Multz is Director of Midmarket North America at Dell SecureWorks. Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs.