The goal of threat intelligence is ultimately to dramatically reduce the incoming number of cyber-threats including hacking, malware, and internal threats. This end is achieved through an active, ongoing effort to identify potential threats. Discovering would-be targeted attacks as well as random Trojan injections is an ongoing project. This undertaking can require effort, expertise, and the right software configurations.
Adaptation of multiple monitored connections and traffic data collection points created multiple environments in which threats can be discovered. The perimeter model based on a solid firewall has been determined to be inadequate if not overly optimistic. Cyber security experts now agree that such as hackers work in steps and layers so must the security applications. Such as a secure home has a fence, entrance alarms and a safe, multiple applications are employed across the network in their respective environments.
When the threat data gathered by these separate elements can be leveraged together, they become more valuable than the sum of their parts. A threat intelligence platform is not a defensive mechanism so much as it is a research tool.
Actionable information about threats on the horizon can come from more sources than your own threat intelligence platform. Data describing threat actors, their methodologies and other identifying factors can be anonymized and channeled into a standard machine-readable language. Threat feeds are channels through which you can request, send and receive intelligence. These libraries are enormous and continually getting bigger. The volumes against which your own traffic logs are compared are too big to store locally, so remote delivery models have been adapted. They vary by product and vendor but all work to analyze all of your network events together to present alerts which are reliable and meaningful.
These sophisticated applications were initially developed for and marketed to large scale operations, most of which held highly sought after data. Hackers soon realized smaller and medium sized organizations were, by and large, not using a threat intelligence platform and subsequently, SMEs were attacked more. Having less security but still possessing exploitable resources, they were overall a more desirable target. That gap was shored up with the introduction of more threat feed options. Services can be scaled up or down to accommodate any network. Analysts have, through much hindsight, identified indicators of a pending insider threat. This was impossible before experts looked beyond the firewall.
With the introduction of an open source honeypot code free to download, even more users came on board. So many users created a plethora of data which can be further mined for specifics about individual threat actors as well as discoverable patterns or tactics. These users can publish, request and share intelligence with others through their threat intelligence platform. There are different models to describe various vendor/peer or peer/peer relationships, some of which are subscription-based while others are free.
Some users have reservations about privacy, as we all should. Programmers understood these concerns and addressed them. Indicators of Compromise and other intelligence must be made anonymous to protect the identities of victims. Practices are in place for unilaterally sharing intelligence with peers in self-defined groups.
This technique holds so much merit that the US government, along with many others, has adopted threat intelligence into its mainstream security operations. Government agencies and contractors are all now required to run cyber-threat intelligence programs and participate in threat sharing. If your enterprise plans to grow big enough to take on government contracts, this will apply to you as well. For the rest of us, it’s currently encouraged but not mandated.
When you consider the effectiveness of collecting intelligence it makes a compelling case. In one survey, 75% of users believe intelligence gathering is critical for an effective cybersecurity strategy. Considering that these programs are much less of an undertaking than they were at their inception and now work from even more data, we cannot think of a reason not to use a threat intelligence platform.
Topics:Threat Intelligence Platform