Call On Threat Intelligence To Secure Your Organization

You may wish you had a crystal ball to see what cyber threats are headed your way, but there’s something far more reliable. Threat intelligence provides you with true evidence of current-day threats that have already been spotted hitting organizations like yours.

Jan 7th, 2015
Mnet 184838 Digital Life Tech Tip Minn 12

You may wish you had a crystal ball to see what cyber threats are headed your way, but there’s something far more reliable. Threat intelligence provides you with true evidence of current-day threats that have already been spotted hitting organizations like yours, giving you time to prepare your defenses and block oncoming attacks. Although you’ll never be able to block all cyberattacks, when you know of those that are already targeting your industry or location, and when you have clear directions on how to block those threats, you have a far better chance of preventing attackers from entering your network.  In the event that attackers still get inside your network or knock it offline, you’ll be far quicker in getting back online, eradicating the threat and closing any “backdoors” so that damage is minimal and the attackers can’t return.

In the past year, threat intelligence has gained momentum in media and security communities, but many are using the term synonymously with “threat information.” Threat intelligence is not the same as threat information. Although many people believe the discrepancy is just a case of “you say to-may-toes and I say to-mah-toes,” calling “threat information” “threat intelligence” is like calling “apple cider” “apple vinegar.” They are two distinct ingredients that beget two different outcomes. 

By itself, threat information can come from industry organizations, government organizations or security companies.  When a company receives this huge dump of information, it must then analyze it to determine whether the threats are relevant to its network. Few organizations have someone in house who is experienced enough to categorize and analyze the threats and the knowledge to know what action to take to block the threats.  By the time your analyst team has sorted through the information, it’s likely outdated as new threat information floods your inbox daily. It takes an analyst a lot of time to decipher who the opposition likely is, what type of weapons it using, how it normally strikes – such as via spearphishing, watering hole attacks or SQL injections – and what type of information it is after.  As if your IT team doesn’t have enough alarms going off that it needs to pay attention to, now it has about a thousand more and it must distinguish which of that information may be relevant.

What Do You Know?

When threats may be headed your way, you have to act fast. In just hours, threat actors can go from speaking ill of your organization to planning a full-force attack on your network to attacking it. Organizations need to know how well equipped they are to defend their networks from attacks, who their attackers are and how they fight in order to win their battles. Just as military leaders want to know the intentions of their opponents so they can make wise strategic decisions, cyber warriors need to know the intent of their enemies. “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” — Sun Tzu “The Art of War”

Gartner describes threat intelligence as “evidence-based knowledge — including context, mechanisms, indicators, implications and actionable advice - about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject's response to that menace or hazard.” Evidence-based knowledge means that the information comes from proven research where this type of behavior has been seen before, and the outcome was not good. “Context” means that the information must be looked at as a whole picture. For example, one knock on a door may mean nothing, but one knock coming from a specific IP address with a specific message may indicate this person knocking at your network could be an attacker. “Mechanisms” refers to the method of infection. For example, an attacker may use a SQL injection to exploit a vulnerability or may use a phishing attack to infect an employee’s computer. Indicators refer to signs that something bad may be going on in your network. “Implications” refers to the conclusion that can be drawn from the gathered information.

How to Choose a Threat Intelligence Supplier

Threat intelligence can help your company block and quickly overcome the threats that rip through other companies. There are many types of companies that supply threat intelligence, so there are a few things you should look for:

      • A global view of the threat landscape – When security teams are monitoring thousands of companies around the world, they see patterns. They recognize what types of organizations are being attacked, how the attackers are breaking into networks and what type of malware they are using. Once security experts understand the attacks, they can share ways to block the attacks.
      • Knowledge of the latest threats seen from conducting incident response engagements – Companies that don’t have a monitoring service that also blocks threats are more likely to be affected by attacks and have a security incident. When Incident Responders arrive on the scene, they not only see threats that have not yet been discovered by security researchers, they often see the same threats time again in different networks. Studying these threats and sharing them with security researchers, responders and analysts gain knowledge of the tactics, techniques and procedures of the attackers. All that information makes great threat intelligence. For example, when responders see where in a network a certain type of malware is hiding, as well as what other malware is in the network and where those pieces are also hiding, and when they see where the “backdoors” are that attackers create so that they can later re-enter a network in case their malware gets quarantined, the responders see patterns in the ways the attacks come. The responders can also see where the malware is communicating back to, often giving them information on the location of the attackers’ command and control servers. When responders share information with the teams that are monitoring networks and creating signatures to block malware, as well as with teams that provide threat intelligence, they have a near 360-degree view of cyberspace. Once they know how these attacks work, they know what organizations need to do to block the attacks. That is the key to threat intelligence: knowing what threats are likely to hit your organization and what you should do to block them.
      • Information on how to block oncoming threats – Threat intelligence should give guidance on ways to block the threats, such as changing your firewall rules or email rules, or blocking off a specific port.

Threat Intelligence at Play

So how has threat intelligence actually protected organizations? Let’s look at one attack that has received a lot of press in the past year. The ransom malware Cryptolocker was first observed by a security company in 2013, long before it had extorted nearly $3 million from victims. The malware was being sent to computer users via emails that seemed to be coming from legitimate companies. When unsuspecting users would click on the email attachment, it would automatically download Cryptolocker and then a pop-up window said something similar to this: “All your personal files are encrypted! So are your photos, videos and files on drivers your computer connects to. To decrypt the files, you need to obtain a private key by paying $300, payable with MoneyPak, which can be obtained at a variety of retail stores.”  Thousands of organizations either lost their files or paid ransom money. Those organizations that had threat intelligence, however, had been informed in advance what action to take to block it.

With threat intelligence you become proactive rather than reactive, and you can make your move before the enemy strikes. No matter what you call threat intelligence or how you pronounce it, it needs to provide you with information on how to block the threats. Otherwise, better call the whole thing off.

Jeff Multz is Director of Midmarket North America at Dell SecureWorksDell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs.

To read more manufacturing and technology news, sign up for our newsletterYou can also follow Manufacturing Business Technology on Twitter @MBTwebsite.

More in Operations
Industrial Media Unboxing Video
Sponsored
Industrial Media Unboxing Video
IEN Unboxed is a new show in which our editors unbox new tools on the market and discuss their features.
Mar 19th, 2021
I Stock 1297073564 (1)
Warehouse AI: High Expectations, Not Hitting Potential
A survey of executives found that they're using AI mostly for inventory management, and expressed challenges with using AI more broadly.
Sep 16th, 2021
Cm 403c
Core & Main to Acquire Kansas City's CES Industrial Piping Supply
It's the company's 15th acquisition since spinning off from HD Supply in 2017.
Sep 16th, 2021
Contract Manufacturing
With the Pandemic Still Lingering, Is Contract Manufacturing an Option?
Supply chain disruptions and a lack of skilled workers remain major impediments.
Sep 15th, 2021
Fleet Pride New
FleetPride Acquires Truck Service Company, Inc. in Chattanooga
The heavy-duty truck parts distributor.
Sep 15th, 2021
In this May 23, 2012 photo, surveyors work next to Canadian Pacific Rail trains which are parked on the train tracks in Toronto.
Canadian Pacific-Kansas City Southern Deal Back on Track
Canadian National dropped out of the bidding war Wednesday.
Sep 15th, 2021
An MEP waits in the plenary for the session to begin at the European Parliament in Strasbourg, France, Sept. 15, 2021.
Europe Outlines Ambitious Plan to Boost Chipmaking
The European Chips Act will link research, design and testing.
Sep 15th, 2021
Injecting manure into a field as fertilizer in Lawler, Iowa. Manure management is a major source of greenhouse gas emissions from livestock.
Food Production Generates More Than a Third of Manmade Greenhouse Gas Emissions
A new framework tells us how much comes from crops, countries and regions.
Sep 14th, 2021
National Guard Spc. Noah Vulpi, left, administers the Johnson & Johnson COVID-19 vaccine to Ira Young Jr. during a vaccination clinic held by the National Guard in Odessa, Texas, May 27, 2021.
Vaccine Mandate Spawns Fear of Finding, Keeping Workers
With help wanted signs up almost everywhere, businesses could lose valuable employees or won't be able to find new ones.
Sep 13th, 2021
A private security contractor watches a NATO supply truck in the province of Ghazni, Afghanistan, Oct. 27, 2010.
Study Criticizes Post-9/11 Reliance on Defense Contractors
Up to half of the $14 trillion spent by the Pentagon in the past 20 years went to for-profit contractors.
Sep 13th, 2021
People attend a protest against pollution and the exploitation of a lithium mine, Belgrade, Serbia, Sept. 11, 2021.
Protests Target Lithium Mining, Other Eco Problems
The region faces major pollution problems.
Sep 13th, 2021
In this May 23, 2012, file photo, surveyors work next to Canadian Pacific Rail trains which are parked on the train tracks in Toronto. A planned shareholder vote on Canadian National's $33.6 billion offer has been delayed, Wednesday, Sept. 1, 2021, after regulators rejected a key part of the plan, so now Kansas City Southern can consider all of its options, including a competing $31 billion offer from Canadian Pacific Railway.
Kansas City Southern Picks Canadian Pacific Bid for Railroad
But it's not final yet.
Sep 13th, 2021