85% say Threat Intelligence is important for a strong security posture but 41% say they have not made progress in the effectiveness of Threat Intelligence data. This comes from a recent 2019 study carried out by the Ponemon institute with over 1000 IT Security Practitioners in North America and the U.K.
The difference is the Threat Intelligence Gap. How can the industry reduce this Gap? Let's explore the five takeaways;
I see this happening more and more with teams being made up of malware researchers, SOC analysts, and threat analysts. The members of these teams are passionate about the work they do but also understand a more automated and efficient way to deal with threat information is greatly needed. This points to the solution of a Threat Intelligence Platform that can take the burden of acquiring and validating threat information. Thereby enabling the analyst and empowering the SOC to spend more time on real analysis and decision making and less time on the mundane gathering and curation of threat information.
If you do not already have a formal and dedicated team, this needs to be one of your top priorities. It is always a good idea to have a member on that team that has project management skills in the mix of the technical experts.
I believe this to be the most important priority. Without a budget, people, products and processes cannot be enabled around Threat Intelligence. It is difficult to quantify the budget and is dependent on the type of business and the spending power available. External threats are analogous to turbulence a plane experiences, you cannot see it but it is impactful. If a plane did not have the sensors in place to detect and deal with turbulence it could be catastrophic. The same applies to businesses that are hit by the invisible forces of hackers and adversary groups - WannaCry, Petya victims are high profile examples. Embracing good Threat Intelligence, like a magician, turns the invisible into the visible which means an organisation can now deal with the threat instead of being impacted.
Review the budget available for Threat Intelligence, separate it from a pool for multiple security areas so a separate pot exists for Threat Intelligence. It is the new frontier in defence and such should be promoted in the procurement department.
I would not advocate relying on open source Threat Intelligence only and neither on one or a few paid sources of Threat Intelligence. Quantity and Quality matters in this sphere.
Quality: Premium 3rd party sources spend more time curating their information resulting in more reliable Threat Intelligence compared to opensource. A scourge of opensource Threat Intelligence is staleness of data.
Quantity: The problem of putting all your eggs in one basket is they could break with bias. Working with many sources of Threat Intelligence via a Threat Intelligence Platform mitigates the presence of bias in data.
The adversaries collaborate in various stages of the attack cycle. They have to as they specialise in different parts of the Kill Chain and remain relatively benign until they band together to become malicious. They share information (tools, tactics, and procedures). Likewise, the good guys, our organisations that build and grow a business need to collaborate with each other to protect themselves far better. It is not rocket science. One organisation is hit with a new piece of malware which is impactful to their systems and thus ultimately to their business. If knowledge of this malware is shared immediately, other organisations who are likely targets, as well, can ensure they are able to detect and mitigate against the attack. If someone in your neighbourhood was burgled, the risk of another burglary to a household in your neighbourhood is high. A neighbourhood watch scheme or extra police patrols after the first burglary allows for detection and prevention measures of a potential subsequent burglary.
Organisations that are part of a Threat Intelligence sharing initiative often like to consume but not share. Utilising a Threat Intelligence Platform enables the sharing as it comes with great features such as obfuscation for the privacy of company information, sharing controls, real-time sharing, and an award system to encourage sharing.
Information Sharing Analysis Centers (ISACs) are a great way to get started in Threat Intelligence sharing. They use a Threat Intelligence Platform to enable the sharing and look after the memberships of organisations that join them. Check out https://www.nationalisacs.org and https://www.anomali.com/isacs-sharing
“No man is an island”, as written in 1624 by John Donne an English Poet is still pertinent today when we think about the cyber defence of organisations now in 2019. Let us connect and actively share and get ahead of the game.
Go beyond the face value (ransomware, phishing, DDOS, etc.) of the threat and look for the root cause. It is not an academic exercise. It is an exercise to allow the SOC and the analyst to make an INFORMED decision on how to handle the threat based on risk and impact.
Let's take an example. One of your company assets has communicated to a malicious domain. A firewall log shows accepts between your internal asset and the external domain. Using good Threat Intelligence, the analyst should be able to understand who this domain belongs to, their motivations and target lists, how they carry out attacks and how quickly, and associated indicators related to the threat actor group. You are a financial institution and with good Threat Intelligence, you may find for example the domain belongs to the Lazarus group who target the company verticals (Financial, National Defence and Civilian Government) like yours. Their sophistication level is Expert. The motivations are financial, political, military and ideological. They target companies in specific countries including where your asset resides. They use a number of specific tools, TTPs and actor indicators. The domain has been verified as 100% accurate i.e. still active and of the threat category it is defined (APT Domain) and the Severity (Impact level) is Very High. As an analyst, you now have the backup of information to support your decision to investigate the internal asset including taking it offline or running scanners on it as well as other playbook activities. Without this contextual information about this domain, it would prove hard to decide what to do next and to ask the asset owner to do anything to it for further investigation or remediation.
You see someone entering and leaving your house. How you investigate and much effort you put in to see what’s missing or suspicious in your house will depend on if that person was a grocery delivery person, a known spy or the police’s most wanted thief.
SIEMs, EDR, FWs, SOARs, Incident Management Systems are some common examples of solutions that have much greater value when they utilise good Threat Intelligence. SIEMs can real-time detect communications from internal assets to external threat entities and Indicators of Compromise. EDR tools can look for malicious file hashes. Firewalls can block communications to malicious IPs and domains. SOARs can orchestrate the automation of mitigation responses. Incident Management Systems can enrich incidents with contextual threat information to make incidents more meaningful for action. Threat Intelligence needs to be good as a start and this depends on the Threat Intelligence Platform and Threat Intelligence sources that are chosen. Analysts can use this Threat Intelligence in their investigations to make informed decisions on threats they encounter. However, the 3rd piece in utilising Threat Intelligence is Integration with other security tools. Like the attackers putting together adversarial tools together to perform an attack, organisations defending themselves should not only share Threat Intelligence with other organisations but internally bring together Threat Intelligence with existing security tools. It is similar to CCTV systems and security guards being enabled with Intelligence to perform their jobs more effectively. It has an add on effect of increasing the ROI on your existing security tools.
The Threat Intelligence Gap is an opportunity for adversaries to plunder and pillage in the organisation’s cyber defence blind spot. Reducing this gap squeezes out the adversaries and lessens their impact which can and have proven to be catastrophic. Like a disease without proper immunity measures if you catch it you will become very sick. Immunity benefits everyone. The more we are all taking care of ourselves the less likely of an epidemic.
So, what do we need to do? As highlighted, it is a case of having a dedicated Threat Intelligence Team, a serious Threat Intelligence budget, go down the rabbit hole to understand The Who and Why behind an IOC and share Threat Intelligence externally to other organisations and internally with other security tools and teams. What stitches together and enables all these components is a Threat Intelligence Platform. A purpose-built and dedicated central repository, management and dissemination solution of good Threat Intelligence. Want to know more? Request a demo.
Parthi Sankar is a solutions consultant based in the UK for Anomali. Parthi has over 10 years experience in cyber security, working for end user companies, vendors, re-sellers and distribution with the bulk of that time spent in the SIEM industry. Parthi is passionate about Cyber Security and believes Threat Intelligence Sharing is as important as Threat Intelligence consumption to help close the Threat Intelligence Gap.