By identifying and halting incoming cyberattacks, threat intelligence can give companies - and their data - the upper hand
- Assessing potential cyberattacks, or threat intelligence, is important to defend against breaches.
- Threat-intel platforms are available in various structures, including commercial and boutique feeds.
- Some customized feeds can be specific to location, industry, or attack.
Richard Clarke, the cybersecurity czar under President Barack Obama, often started his speeches asking his audience how many knew there was a data breach happening now.
After only a few audience members raised their hands, he then asked how many people had been aware of a past data breach. A few more hands went into the air. Later, Clarke would ask the rest of the audience to raise their hands because, in reality, everyone had experienced a breach at some point - whether or not they were aware of it.
The fact is, potential hackers are probably in your company's network right now. So what should you do to ensure that, at the very least, you can identify the threat and start the remediation process?
To stop a cyberattack, it's important to look at a key part of the identification process: threat intelligence. At its core, this step can be broken down into two categories: internal and external.
Looking outward considers, in part, whether the attack is conducted by a lone financial criminal, state-sponsored attacker, or a more benign attacker, such as someone trying to gain credibility by proving they can successfully breach a network or cloud service provider. External threat intelligence also asks whether the breach is targeting your company specifically or others in your industry. This knowledge is useful in defending against attacks.
Looking inward seeks information about corporate-security operations and controls. This includes studying existing security policies and procedures, as well as potential threats within the company. But internal threat intelligence also looks for data stolen by attackers or even posted by employees - and while the latter isn't always malicious, the data might still be considered confidential. By searching the internet for internal data, a company can identify possible unknown breaches and see what's stolen or posted for sale to other cybercriminals on the dark web. Both can negatively affect a company's reputation or put the company at risk of violating compliance or privacy laws.
Internally, a security team might conduct proactive "threat hunting," which means looking at its own operations for undetected threats. This action can find threats that might have bypassed the company's existing security defenses.
Understanding the different types of threat feeds
There are two primary approaches to threat intelligence. The first is purchasing a data feed through a threat-intelligence platform, which is often accessed through a third-party vendor. These can help determine whether the company's network contains malicious data, such as malware or ransomware. Threat intelligence can support the security team to identify potential threats. If a breach occurs, the security team can identify and stop the attack before it begins.
Using these commercial data feeds is like using a large net to catch fish. With commercial feeds, your company will end up with a lot of data about attacks, but it will take time to filter what is most important.
Data-capture techniques aren't always generic; some "boutique" threat-intelligence firms provide focused, industry-specific feeds that reduce a lot of the white noise. While these are often more expensive than generic feeds, they can be customized by location, industry, and type of attack, which gives companies a quicker and more efficient analysis.
Building a threat-management profile
- Identify current risk levels based on the risk tolerance of the company - operational risk management. This includes any deviations from security policies or controls, patch levels of software, and the use of end-of-life software.
- Identify real-time threat-intelligence data focused on your industry, but maintain a broad view of the entire threat landscape.
- Monitor where your network could be attacked and gaps that could make your network inaccessible to security-vulnerability tools.
- Note trends by monitoring dashboards - usually weekly, monthly, and quarterly. At the C-suite level, data might be needed daily if trends show significant increases in attacks.
A second approach to getting insight about potential threats, or perhaps stolen data, is called open-source threat intelligence. This method finds data that is freely available on websites, social media, the dark web, and other networks. This might contain stolen corporate data, such as lists of customer credit cards, employees' Social Security numbers and other personally identifiable information, or even confidential corporate data about an unannounced product or a corporate acquisition.
Open-source threat intelligence can also be more benign. For example, an employee might post a selfie in a company conference room that accidentally shows the Wi-Fi password or technical designs for a new product.
Obtaining open-source threat intelligence often requires complex tools and highly skilled security analysts who are trained to navigate the dark web. Those who are inexperienced can easily run into conflict with the law or inadvertently anger a member of a criminal organization by accessing or downloading questionable data. If a company plans to hunt for threats on the dark web, it should consider hiring a professional threat hunter.
"If you're looking to find a needle in a haystack, better bring a strong magnet," said John Young, founder of Young Cyber Security and a former cybersecurity defense expert at IBM.
"Open-source threat intelligence is that magnet. A company's information is out there for hackers and the rest of the world to see."