Threat Analyst Insights: Threat Intelligence as a Leveler
May 31, 2018 • Greg Lesnewich
Cybersecurity is an expensive and demanding endeavor. Companies must implement a vast network of devices and software to monitor and control network activity prior to gaining visibility into endpoints. Servers and workstations must be patched and behavior monitored for potential infection. Most important, many argue, is acquiring and retaining top talent to defend a corporate network.
However, most organizations are not Fortune 500 companies that can both attract and afford to pay top talent in the information security field. The industry contains a spectrum of new and seasoned analysts, all with varying backgrounds, expertise, and perspectives on threats to networks and individuals. If a company is international, its information security analysts likely read different papers, consume different media, and view the world differently than other members of the same team.
Despite the differences in perspective and experience, the analysts all look at the same cluster of issues as their teammates. For example, in a security operations center (SOC), no matter the background, language, or SIEM used to monitor traffic, the analysts are presented an IP, domain, or hash which they must evaluate. The same goes for incident response and vulnerability management; the threat must be evaluated on the fly.
The threat is not always straightforward, such as an IP-owned AttackerOrg LLC, or a domain typosquatting the company’s real online presence. Additionally, the SME, or top analysts, are not always monitoring the networks — their shift ends, they take a vacation, they move on to another position or company. Often, less seasoned analysts must make the same decisions as experts without the years of experience or pattern recognition developed from previous investigations.
Level the Playing Field
Threat intelligence can compensate for the talent gap that many companies face, either in their ability to hire or in the breadth of ability on a team. Threat intelligence can be packaged in reports, threat feeds, or simply AV detections. It is also language agnostic, meaning if an analyst observes an IP in a threat list or a report, they can more rapidly assess the threat.
A quality threat intelligence program levels the playing field and can improve the ability of newer analysts to understand threats by providing the same information and context to each analyst on a team. This removes interpretation as both a strength and a weakness — a veteran analyst may have better Googling skills to hunt a hash, while a more junior analyst may only query VirusTotal and find no results. A threat intelligence platform puts the same information in an easy-to-comprehend format for analysts to both understand and use.
Take, for example, an unknown external IP address attempting to connect over TCP port 445. A newer analyst may not know the IP address, but sees that other devices on the network use SMB on port 445 to transfer files and data between servers. An experienced analyst would likely understand that an exploit for SMB has recently been used by ransomware to propagate, and could identify the IP as likely compromised due to owner, location, and open source data.
Adversaries, worms, and malspam campaigns do not wait or press pause for the senior analyst to get back to their workstation. A threat intelligence program mitigates this knowledge gap by providing the same threat information to both the senior and junior analyst. While some of its benefits may be trivially time saving, a well-informed junior analyst will then be better equipped to prevent an intrusion into the network.
Improve Decision Making
Threat intelligence aims to improve decision making across an enterprise, from executive members down to the most junior firewall engineer. Arming an entire corporate security team with the same information provides both context for an individual threat, and an understanding of the general threat landscape. It improves the ability of analysts to make decisions without a second set of eyes, and can speed up analysis and decision making across an enterprise.
While a threat intelligence program can’t compete with having a team of seasoned, well-informed analysts who conduct their own intelligence and data gathering, it can make a less sophisticated team more informed, which can allow them to respond and adapt more rapidly than they would otherwise. The team that can evolve with threats the fastest will be the most successful in defending their network.
To learn more about how effective threat intelligence can improve your security programs, request a personalized demo.