“Distrust and caution are the parents of security” – Benjamin Franklin
Enterprises and organizations of are increasingly concerned about information and cyber security. Decision makers are questioning the investments they make to secure the business, and rightly so. As cyber attackers become more sophisticated, security teams lag behind and are left to work with analyzing the artifacts from the past to determine future threats. In this scenario, threat intelligence (TI) is growing in popularity, usefulness and applicability.
Gartner defines threat intelligence as, “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
The presence of intent, capability and opportunity on the part of an adversary and the analysis of that information, is what makes for a threat. Threat intelligence requires as a prerequisite, a thorough awareness of one’s own IT environment and assets, personnel and business operations. Only then can you anticipate what your adversary is interested in and if your security environment has loopholes to compromise.
Lack of threat intelligence results in spending and allocating resources to safe guard unimportant IT assets or on lengthy vulnerability assessments, instead of focusing resources to mitigation and problem resolution.
Threat intelligence life cycle typically consists of planning, collection, processing, production and dissemination of information. The information then needs to be mapped against an organization. Someone within the organization needs to make a decision regarding the applicability of the intelligence produced. If the intelligence produced is not consumed, it is just a mass of useless data. Threat intelligence is presented as Indicators of Compromise (IoCs) or threat feeds.
The ability to consume the threat intelligence provides strategic and tactical choices that impact security. Strategic threat intelligence provides a broader and higher-level view of data to identify threats and make decisions regarding where security budgets need to be allocated and what personnel should focus on.
Tactical threat intelligence deals with collecting network information, analyzing it, identifying threats and giving analysts IoCs to use, in the search for evidence of an intrusion. It is a natural step to consider for an organization trying to strengthen its overall cyber security posture. Only when the scope of threat intelligence is clearly defined can an organization foster realistic expectations from threat intelligence implementations, identify where they should be integrated within the organization to yield best results and align it to the overall cyber security goals of the organization.
An important element of defining threat intelligence for your organization is to be clear about what it does not entail. It is not a list of indicators that a perpetrator used at some point in time, without additional context. It is not information that does not help the organization understand its attackers. It is also not a data source that is ignored.
Of late organizations are open to the idea of sharing attack data to help the larger community. Knowing your adversary and your IT loopholes allows an organization to build its defenses. When attack data from thousands of companies, organizations, industries and governments is aggregated, it becomes a rich repository of information that allows us to prepare for attacks and prevent them, rather than discover and react. Only when attack information is shared do threat intelligence feeds, hacker playbooks and breach simulations begin to create meaning and value. Threat information sharing helps cyber security professionals’ access information real-time and improves their ability to respond to emerging threats. It saves thousands of hours of investigation, and combined with advanced analytics helps predict trends.
Threat Intelligence by NetEnrich – NETSOS proprietary automation framework at work
NetEnrich’s threat intelligence uses specific tactics, techniques, and procedures (TTPs) for your particular environment. It leverages analysis of threat actor behavior over multiple years to dramatically enhance the quality of your information security program. NetEnrich evaluates threat information against internal vulnerability assessments to prioritize security controls more effectively, using the NETSOS proprietary automation framework.
NETSOS automation framework is used to extend User Behavior Analytics (UBA) functionality to provide comprehensive insider threat protection, and full-fledged surveillance on east to west traffic. Get an aggregated view of insider and individual activities and quickly see key, insider threats without being drowned in alerts.
Download our whitepaper “Addressing the Cybersecurity Talent Shortage and Growing Threat of Attack with Managed Services”, to learn how can you achieve:
- Predictable monthly costs
- Adaptable scalable services on-demand
- Expansive knowledge base and expertise, with all the latest certifications and credentials