Threat Intelligence: Security teams’ new crystal ball
How can threat intelligence help security teams prepare organisations for a cyberattack?
Most security solutions focus on what happens in an organisation’s environment and aim to warn that organisation of an attack and block it once it occurs. With threat intelligence, organisations receive intelligence about an attack before it enters the environment. As such, threat intelligence is a vital component of any organisation’s security stack and can help them prevent and prepare for attacks, something the majority of other solutions do not do effectively.
When it comes to preparing for a cyberattack, there are two main ways threat intelligence can help.
In the first instance, organisations need a solution that collects data from the internet, including the clear, deep and dark web, from sources such as cybercrime forums, black markets, and social media, in order to identify warning signs or potential attacks against the business. These can include an array of elements such as phishing domains, stolen data, credentials exposed in the wild, sensitive documents or code that is being exposed somewhere on the web. This is what we call external threat intelligence, or digital risk protection. An important element of this type of intelligence is that is it tailored to an organisation, meaning that the security team are notified when a cybercriminal is talking about their company or their data, or suggesting a plan to attack that particular organisation, for example.
The second way that threat intelligence can help is to monitor for particular cybercriminal characteristics, helping organisations to prioritise indicators of compromise (IOCs) on their network and only focus on the most common or malicious threats targeting them. In the same way that criminals who break into a building are likely to leave fingerprints, so do cybercriminals. Threat intelligence can identify these and advise organisations on what threats, campaigns, or attack types are targeting them and therefore which ones to prioritise.
How high level or specific does threat intelligence go?
Many threat intelligence solutions focus on specific indications of an upcoming cyberattack, which is important; however, it doesn’t give organisations a high-level view of their landscape.
CISOs who are on limited budgets need to know where threats are coming from and what techniques an organisation is most threatened by, therefore it is crucial that threat intelligence solutions are able to provide this data. CISOs can then use that to figure out where they are going to invest their budget and resources, such as better security solutions or further employee training, and where on the network their security teams need to focus.
CISOs are then able to present the cybersecurity issues facing their organisation in an easy and understandable way to the C-Suite. Only from these discussions can organisations effectively mitigate the specific cyberattacks and intelligently build effective security strategies and programs.
Why is threat intelligence crucial in the work-from-anywhere era?
The move to work from home/remote working has driven a real increase in the usage of cloud services as employees are required to work directly with the cloud to access what they would from the office.
This increase has exposed organisations to different types of threats, some of which can be mitigated using threat intelligence. For example, if an organisation’s software engineers must work from home, they must access things like code repositories in the cloud. Accessing such repositories from home, on a personal network or different device, heightens the risk of them accidentally taking the code from the organisation’s internal repository and publishing it elsewhere. For example, on their personal code repository on GitHub or exposing it to the public.
With organisations at risk of such exposure, threat intelligence is invaluable. Organisations can use their threat intelligence solution to monitor the internet and identify these types of risks. When organisations look for a threat intelligence solution, they should look for one that is able to cover these use cases.
How can threat intelligence help support other cybersecurity solutions?
Threat intelligence can support other cybersecurity solutions in several ways, one being that it improves the detection capabilities of other solutions within an organisation’s security stack. Most detection solutions try to predict what attacks may hit an organisation in the future, but they cannot catch everything. This is where threat intelligence comes in.
If organisations are scanning the network continuously without threat intelligence, there’s a lack of focus and threats are likely to slip through. Add in threat intelligence which sends indicators of compromise and detailed threat information to other solutions, and already an organisation knows what to look out for and what elements of their security strategy and network to focus on.
Threat intelligence can also help with the triage of threats. Triaging a threat involves helping security teams to sort through the hundreds or even thousands of alerts they receive daily and knowing which ones to prioritise. Doing this includes using a browser extension which scans through the alerts on a certain part of the organisation’s network, be that an endpoint solution or an XDR, and provides an assessment which details what the riskiest indicators or alerts that have been raised are.
By highlighting to SOC analysts which threats to start with, threat intelligence cuts remediation time dramatically and makes the team much more efficient. Rather than wasting time investigating alerts that are low priority, they immediately focus their time on high priority threats.
To take this one step further, threat intelligence can also help with the attribution of an attack by providing security teams with information on what malware, threat actors or campaigns are trending in their organisation’s environment at that point in time. This puts the focus not only on high-risk IOCs, but also on those related to specific pieces of malware, threat actors or campaigns. This gives organisations the action to research that particular type of malware, whether there are indications that it is elsewhere in the network; or that specific threat actor, what tools and attack vectors they typically use, what their motivations are etc. Based on this context and insight security teams can carry out a wider threat hunt across the organisation’s environment to ensure they are not further exposed.