3 Signs Your Information Security Team Needs Threat Intelligence

Posted: 2nd March 2016

Be honest, sometimes you aren’t sure.

Your information security team seems to be getting on with things. They fix vulnerabilities, brief your staff, and implement security procedures.

But how can you be sure they’re doing everything possible to protect your organization?

Well, the best thing you can do is to ensure they have the threat intelligence needed to inform their actions.

Here are three giveaway signs that your information security team isn’t getting the threat intelligence it needs.

They Don’t Know What’s Already Out There

It’s every CISO’s worst nightmare.

Sensitive, proprietary information, dumped on the Web for anyone to see.

Remember Ashley Madison? Well, at least they knew it was happening. Plenty of organizations have leaked data and they don’t even know about it.

As security professionals, we run the risk of being so focused on advanced threats that we forget about the basics.

Quality threat intelligence should always include analysis of proprietary assets on the Web. Information about the organization or its executives, confidential data, and even employee login credentials turn up on the open Web with depressing regularity.

Knowing this, it’s vital that your information security team receives regular and timely threat intelligence to help them get on top of data leaks as quickly as possible.

And it’s not just data leaked intentionally you have to worry about. Does your information security team know what your employees are saying online? For that matter, do they know what anyone is saying about your organization online?

While we wouldn’t necessarily suggest playing Big Brother and hovering over your employees’ private accounts, social media chatter is a very real indication of data leakage.

All sorts of people use social media for all sorts of uses, and searching for mention of your organization online could potentially point you towards serious data leaks before they cause too much damage.

What They Need: Threat intelligence on common “data dump” sites and social analysis.
Result: Much faster crackdown on potentially serious data leaks.

They Spend Too Much Time Fighting Fires

It doesn’t take a genius to see that knowledge of the most common attacker tactics, techniques, and procedures (TTPs) is a useful thing to have.

After all, it’s all well and good to put out fires, but wouldn’t it be better to prevent them from starting in the first place?

Think of the most likely attack routes as choke points.

By identifying these choke points ahead of time, you can quickly block them off, and keep out the vast majority of would-be attackers.

Without this information, you’ll have no idea which points to block off first, and there’s a good chance you’ll be left vulnerable when an attacker comes along.

Let’s look at an example.

Analyzing malware campaigns from recent history tells us that most attackers leverage dynamic DNS (DDNS) for their command and control infrastructure.

Knowing this, your information security team can designate DDNS as one of their choke points, and implement a suitable defense. In this case, a DNS response policy zone (RPZ) would be a sensible option, enabling protection policies to prevent access from known “bad” domains, IP addresses, and so on.

Through one simple preventative measure, a huge amount of emergency repair work is completely avoided. Ultimately, this is a question of resource allocation.

If your information security team can identify the most likely means of attack, not only will their time and energy be spent more wisely, their efforts will also dramatically reduce the chances of incident escalation … and all the resource nightmares that go along with it.

As the old saying goes, an ounce of prevention is worth a pound of cure.

What They Need: Analysis of the latest attacker TTPs.
Result: Reduced risk of breaches, and greatly improved resource allocation.

They’re Always Going on About Phishing

Now let’s not be flippant, phishing is a serious problem. It’s becoming more common, and much more sophisticated.

At a security conference I attended in London last year, one of the speakers mentioned a company that had been hacked solely to gather information for a spear phishing attack on one of their partners.

Clearly this something to be concerned about … it’s just not the only thing.

And I get it.

People understand phishing now. When your information security team mentions phishing to the C-suite, they get more than blank stares in return.

They understand employees need to be educated, and defensive capabilities enhanced to protect against all these phishing attacks your organization is being subjected to.

That’s a serious step forward from years gone by, but it’s not enough. And worse, it distracts attention away from other, equally important concerns.

If you’re involved in the threat intelligence world, you know at any given time there are a set of TTPs that threat actors are particularly fond of. Right now, phishing is one of those, but certainly not the only one.

You cannot, for example, forget about controlling user access levels (which is a serious issue in many organizations) simply because the board won’t understand the problem.

The other issue with an over-focus on phishing is that it can lead you to become extremely reactive. Sure, you’ll do your best to prepare your assets (both human and otherwise) for impending attacks, but ultimately you’re going to have to wait and see what happens.

Now, any security effort is by definition going to be at least partially reactive, but that doesn’t mean you shouldn’t be proactive wherever possible.

How about utilizing honeypots to identify insider threats or breached user accounts?

You can prepare a world-class defense against phishing attacks, but sooner or later one might get through. When that happens, you’d better have some proactive measures in place to minimize the damage.

What They Need: A routine breakdown of all threat types.
Result: Increased proactivity in security measures.

Threat Intelligence Informs Action

When it comes down to it, threat intelligence is useless unless it informs action.

That could be implementing honeypots, briefing staff, or closing known vulnerabilities, but these things will only happen if the right people receive the intelligence they need.

Your information security team is right at the top of the list in terms of threat intelligence need. If you want targeted, proactive security measures, you should be routinely working collaboratively to determine exactly what they need and when.

Threat intelligence requires both time and money to collect.

Make the most of it.