10 Threat Intelligence Goals for Financial Institutions

May 26, 2015 • Greg Barrette

Russell Pierce, vice president of cybersecurity and threat intelligence at Regions Financial Corporation recently shared his experiences with building a threat intelligence program, and how Recorded Future contributes to its overall success.

Times Have Changed

The introduction of the Internet and online banking has had a dramatic impact on the financial services industry. Prior to the web, it was easy for financial organizations to secure information but difficult to reach customers. Today, ease of use is a major competitive factor, and any organization with an eye towards growth is using the web for customer transactions and engagement.

Financial organizations’ infrastructures, too, are connected to the Internet – and to third-party partners’ Internet-connected infrastructures – leaving everyone more vulnerable to more risks than ever before. Like other industries, financial systems that previously had very defined perimeters are now perimeter-less. With the stakes so high, the finance industry has had to look for new, proactive ways to protect their systems and the information contained within them.

It’s not enough to just implement new controls and technologies around the systems, though; smart organizations are dedicating teams to look in the deep crevices of the web for detailed information on threats to their environments. World news and events, potentially controversial company announcements, new executive appointments, industry and partner breaches, industry-specific malware — all of these and more can indicate a risk, and analysts need to find the intelligence that must be acted upon to protect the company and its customers.

The wealth and scope of available information can be overwhelming for intelligence analysts, however. While in the past actionable and credible threat intelligence could be elusive, now information can be found online anywhere, at any time, in any language. With the volume of information and limited resources and budgets, organizations need to be strategic in their intelligence gathering.

But how can your company’s analysts sort through the noise to find the right threat intelligence?

During a recent webinar, Russell Pierce, CISSP of Regions Financial Corporation shared how organizations can use Recorded Future as part of their comprehensive cybersecurity program. By applying real-time threat intelligence from the open web to improve defenses against cyber threats, companies can:

  • Navigate from intelligence objectives to intelligent decisions.
  • Apply open source intelligence (OSINT) to better prioritize threats.
  • Save time and money by strategically focus threat intelligence capabilities.

Mr. Pierce explained how the use of the Internet has changed the threat landscape for Regions considerably. Online and mobile banking, in particular, pose challenges for the financial services industry, but other industries face similar problems of increased digital communication and collaboration, mobility, interconnected networks and infrastructures, and more.

Why Is This So Hard?

Complicating matters further, the web has layers and is constantly in flux, which means analysts and researchers need to be looking at more sources than ever before, including:

Layers:

  • World Wide Web: Surface layer, public, easily accessible
  • Deep Web: Not searchable, dynamic, private, ephemeral
  • Dark Web: Custom protocols, legal issues

OSINT: Mostly unstructured, varying trustworthiness, free

CSINT: More likely to be structured and costly

In-House: Internal, mostly structured, trusted, free

While all of these sources supply threat information, some of it can be difficult to access and, in some cases (i.e. the dark web), poses risks just by being accessed. Nonetheless, threat information is everywhere and organizations must be smart about threat information collection.

Because this plethora of information can be overwhelming, even for the most sophisticated and resourced risk and threat intelligence teams, Mr. Pierce recommends companies prioritize threat intelligence goals. Ranked by importance and proximity, he suggests companies assess threats according to how they affect Your Company, Your Industry, and Your Internet.

Top 10 Threat Intelligence Goals

The top four threats, said Mr. Pierce, are those risks to Your Company:

  1. Direct risk (targeted or named; institutional vulnerabilities)
  2. Indirect risk (vendor, service, or technology dependencies)
  3. Actors, campaigns, tools, or tactics that targeted your company or sector
  4. Internal inquiry (leadership, corp communications, or technical areas)

Focusing threat intelligence goals on these four issues, first and foremost, will set your program in the right direction and help threat analysts hone in on the most immediate issues. Threat intelligence tools can be tuned to alert on specific signals.

Since many cyber attacks occur as a result of indirect threats, risks, or vulnerabilities, companies must be aware of what’s happening in the industry. A large company or group of companies in Your Industry being hit with targeted malware, for instance, is a good indication that trouble may be brewing for your company, too:

  1. Affecting multiple companies in your sector
  2. Affecting a large company or leader in your sector
  3. Affecting a direct peer (by market size, holdings, or geography)

Operation Ababil, a cyber attack that rapidly spread throughout the banking industry in 2012, is a good example of why organizations must be cognizant of what’s happening around them as well as what’s happening directly to them.

Rounding out Mr. Pierce’s top 10 intelligence goals are threats to Your Internet:

  1. Mass campaign (widespread, significant volume, or high level of success)
  2. Has, or expected to have, significant media attention (inquiries expected)
  3. New or significant actors, campaigns, tools, or tactics

The significance of large-scale attacks and the “noise” surrounding them cannot be discounted. When an exploit goes into the wild, when the media harps on a negative campaign, or when a particular threat actor suddenly becomes more active, a thorough search of Internet sources will reveal the data – data that will indicate a need for heightened attention to a pending problem.

Being strategic and setting your threat intelligence goals is a good first step towards driving down risk to your organization. While a comprehensive threat intelligence program is composed of many elements, Mr. Pierce emphasized how integrating tools and technologies – including Recorded Future – are a major asset to information discovery. Recorded Future supplies:

  • An enriched dataset from over 700,000 web sources.
  • The ability to collect threat information in seven languages.
  • A fast method of getting to “Your Destination.”

Intelligence Solutions

Mr. Pierce recommends companies combine the right integrated tools with SMART goals, priorities, and plans; employ diligent threat analysts; listen to experts and invest properly; and strategically consume and share threat intelligence — in alignment with your top threat intelligence goals — to reduce the attack surface the “Internet-as-a-Source” has introduced.