By Zane Pokorny on May 14, 2019
Threat intelligence is sometimes misconstrued as something that can only be used and understood by experts, or just streams of data on indicators of compromise. The truth is that threat intelligence is a powerful resource for every cybersecurity role — something that’s helpful for everyone who cares about security.
We’ll survey some of the applications of threat intelligence by looking at how it helps with six categories of security roles: security operations, incident response, vulnerability management, risk reduction, fraud prevention, and security leadership.
Security operations is the first line of defense in most organizations. But security operations analysts have to develop a broad skill set to be effective, knowing how to effectively do log monitoring, incident response, penetration testing, access management, and more. Each task might require a different system or group of systems to perform effectively, and they’re often not integrated with each other. In practice, that means security operations centers (SOCs) are usually dealing with countless alerts and huge volumes of data, often arriving without much context, every day.
Simply bringing more information usually just adds to the burden of SOC analysts — correlating external data with internal network telemetry might generate more alerts, for example, but if there’s no transparency behind why a particular indicator has a high risk score, then analysts will need to manually research that alert and determine whether it’s critical, it can wait to be resolved, or even if it’s just a false positive.
Threat intelligence enriches alerts, automatically providing context that helps SOCs prioritize alerts and work smarter. Some threat intelligence platforms do this automatically, using machine learning to downgrade or ignore alerts that are not important or relevant to your organization. Threat intelligence should provide real-time access to the sources behind risk scores and help analysts quickly research indicators of compromise, saving time and effort.
Incident response teams, which are often part of a SOC, face the challenge of imperfect information similar to SOC teams in general. Countless alerts and not enough time to respond to all of them means that IR teams have to pick and choose, but without context, it can be a struggle to determine which alert represents a critical incident and which isn’t a priority or can be ignored.
Like we mentioned above, the irony of the problem of imperfect information these days is often the result of having too much data, not too little, with IR teams overwhelmed by floods of non-prioritized indicators and alerts.
Threat intelligence helps security practitioners respond to incidents by:
- Automatically identifying and dismissing false positive alerts
- Enriching alerts with real-time context from across the open and dark web
- Assembling and comparing information from internal and external data sources to identify genuine threats
- Scoring threats according to the organization’s specific needs and infrastructure
The goal of vulnerability management is to reduce risk by making your environment more secure. But new vulnerabilities emerge constantly, and patching them is time-consuming and often results in downtime. Most vulnerabilities are exploited within the first two weeks that they’re discovered or not exploited at all, making a timely response critical.
So when your resources are limited, the best approach is not to take a “patch everything, everywhere” approach, but to learn how to prioritize which vulnerabilities present the biggest threat, which can wait, and which can be safely ignored.
Threat intelligence provides the context needed to perform this kind of assessment. By combining internal vulnerability scanning data, external intelligence from a wide range of sources, and intelligence on threat actor tactics, techniques, and procedures (TTPs), triaging vulnerabilities becomes less guesswork and more scientific.
Risk reduction efforts are about making bad things less likely to happen — in cybersecurity, reducing risk often looks like using risk models to determine what the best security solutions to invest in are. But many cyber risk models today fall short, offering:
- Vague, non-quantified output, often in the form of “stoplight charts” that show green, yellow, and red threat levels
- Estimates about threat probabilities and costs that are hastily compiled, based on partial information, and riddled with unfounded assumptions
For it to be actionable, risk analysis needs to be produced in quantifiable terms like probability of attack, actual return on investment (ROI) in new security solutions, or the specific cost of downtime due to vulnerabilities being exploited. Non-quantified output is not very actionable, while models based on faulty input result in “garbage in, garbage out” scenarios, whose output appears to be precise but is, in fact, misleading.
Threat intelligence alongside a well-defined risk model helps security practitioners produce actionable, quantifiable research and predictive models on risk, making it essential for getting the most out of your security solutions and for long-term planning.
To understand how criminals are looking to profit from your business, you cannot focus solely on detecting and responding to threats already actively exploiting your systems. You need to gather threat intelligence about the cybercriminal gangs targeting you and how they run their operations.
To keep your organization safe, it isn’t enough to only detect and respond to threats already exploiting your systems. You also need to prevent fraudulent uses of your data or brand.
This takes threat intelligence gathered from communities in the criminal underground and on dark web marketplaces and forums, which can show how and why they’re targeting you. This intelligence alongside information gathered from the surface web can provide powerful insight into the TTPs of cybercriminals.
Use threat intelligence to prevent:
- Payment Fraud: Monitoring sources like criminal communities, paste sites, and other forums for relevant payment card numbers, bank identifier numbers, or specific references to financial institutions can provide early warning of upcoming attacks that might affect your organization.
- Compromised Data: Cybercriminals regularly upload massive caches of usernames and passwords to paste sites and the dark web, or make them available for sale on underground marketplaces. Monitor these sources with threat intelligence to watch out for leaked credentials, corporate data, or proprietary code.
- Typosquatting: Get real-time alerts on newly registered phishing and typosquatting domains to prevent cybercriminals from impersonating your brand and defrauding unsuspecting users.
Threat intelligence is also essential for high-level, strategic decision making. Security leadership at the executive level (particularly CISOs) can use threat intelligence to communicate more effectively with their peers who may not have technical backgrounds.
Today, security leaders must assess business and technical risks, including emerging threats and “known unknowns” that might impact the business. They also have to identify the right strategies and technologies to mitigate the risks, and then communicate the nature of those risks to top management and justify investments in defensive measures.
Threat intelligence can be a critical resource for all these activities, providing information on general trends, such as:
- What kinds of attacks are becoming more (or less) frequent
- What attacks are most costly
- Who threat actors are, their TTPs, and their targets
- The practices and technologies that are the most (or least) successful in stopping or mitigating these attacks
Threat intelligence makes it easier to communicate these points to non-technical executives, and automated threat intelligence can also help make up for the growing security skills gap.
The Threat Intelligence Handbook
Each of these applications of threat intelligence is explored in greater detail in our book, “The Threat Intelligence Handbook,” which has a complete chapter devoted to each security function listed above.