December 27, 2017 • RFSID
Cyber threat intelligence is often misunderstood. To generate true intelligence, you first need data. But you also need to be in a position to convert that data into actionable information, such that it can be properly analyzed.
From there, you need put context around the information — both from a technical perspective and a business-impact perspective. This context is the key to transforming the information into actual cyber threat intelligence.
Once contextualized, your information security team can then leverage the intelligence to mitigate cyberattacks that truly threaten your digital assets, while also avoiding false positives that will waste their valuable time.
In this blog, we take a look at three myths that contribute to the confusion over cyber threat intelligence. Understanding the misconceptions behind each myth can help your business zero in on what it needs to do to build a comprehensive security strategy that protects the business from cyber threats.
We can get all the threat intelligence we need from internal data and logs.
Yes, you can glean a lot of threat information and mitigate some cyber risks based on your internal system logs and data. But relying on this approach alone puts you into reactionary mode. You can only respond to security events that are happening on your network, instead of preventing events from ever happening in the first place.
And once a security threat breaches your network, it may be too late to mitigate all the damage. If you only look at internal data — such as event logs, security information and event management (SIEM) logs, firewall logs, and behavior analysis — you will miss intelligence on external threats that might rear their ugly heads at any time.
Leveraging external threat intelligence data can show you how your industry, technologies, and even your specific digital assets are being targeted — with relevant information on new vulnerabilities, exploits, and malware, all going after the company’s crown jewels.
External intelligence can also help you know what to look for within your internal intelligence tools. You will likely be able to identify threats that your internal logs can’t find, such as spear phishing attacks or malware targeting industry-specific hardware or software. This saves time for your information security team, which they might otherwise spend chasing false positives or threats that have little to no impact on your business.
In addition, external intelligence helps put context around your internal intelligence so you can relate it back to the business and know what to prioritize. Without external intelligence, you might raise the level of a threat higher than it needs to be.
If you are in the financial services sector, for example, perhaps you come across an indicator such as an IP address that triggers an alert. Without external threat intelligence, you would have to hunt around to see if it really poses a risk for the financial sector, and why. Making connections like this manually is far too time consuming and potentially unreliable. The IP address might also lead you to a vulnerability that you’ll then be sure you need to prioritize.
In a case like this one, you may have vulnerable devices that you probably want to patch at some point. But if this particular threat targets another industry, it’s not an urgent matter for your business — relative to this particular threat and compared to a targeted attack gearing up against your own defenses.
External threat intelligence is just a matter of tapping into data feeds.
External threat intelligence comes in many forms — vulnerability feeds, targeted threat feeds, social media feeds, dark web alerts, and nation-state warnings, just to name a few. There are hundreds, and perhaps more than a thousand, that you can choose from.
The amount and type of data that each source provides also varies widely. Some pump out data constantly, while others present only those events they consider to be major. Some simply present threat titles, while others go into deep technical descriptions.
Whether you tap into one, 10, or 100 sources, just getting a stream of data is not enough. You also need the ability to evaluate the data and put the data into context so you can understand how it impacts your IT network and your business. It’s also important to correlate data from many feeds. Multiple perspectives are usually required to truly evaluate the seriousness of a particular threat to your environment, and to make sure you find out about threats as soon as possible.
For example, the NIST National Vulnerability Database (NVD) is an excellent and comprehensive resource to find out many details about new vulnerabilities. However, there is often a gap on the NVD between the first announcement of a vulnerability and the actual release of the vulnerability, sometimes as much as one full week. If the NVD was your only source, your infrastructure might already be infected before you realize the threat exists. Obviously, other content sources are required to stay up-to-date with the latest vulnerabilities.
Threat intelligence experts can easily analyze threat data feeds.
Businesses that realize the value of external threat intelligence data feeds and understand the need to put that data into business context may still find that they have too much information — they can’t make sense of it. The technical context does not easily nor directly map to business context.
To effectively ingest threat intelligence data feeds, human expertise is simply not enough. You also need tools and a process to manage all the information. Humans on their own don’t have the capacity to absorb and understand all the variables and all the “if-then” paths of a potential threat.
Without the ability to make sense of all the data — by first turning that data into information and then turning the information into intelligence — your information security team is likely wasting their time. Even if you use free threat intelligence data feeds, you will still spend money on the back end as the team chases false positives. What’s worse, they may end up missing real threats that could have a major impact on your digital assets and your end-user productivity.
Tools and process are also required to combine external threat intelligence data with internal data. Before feeding external threat intelligence data into your SIEM system, you need to analyze the data by correlating, stripping, and synthesizing the feeds, and then putting it all into context based on analysis from other feeds and data sources. Only then will the intersection of external and internal data make sense.
By automating the analysis process, information security experts can then focus on the output that first identifies the true red flags, as well as the false positives. The team can then make sure it focuses its efforts on mitigating the threats that can do the most potential harm to the business.
Businesses sometimes think the more threat intelligence data they collect, the more they know. But if they can’t correlate the data and put it into context, they might get the wrong results; perhaps they see the results they expect to get, but not the results that will make a difference.
It’s very difficult to put threats into context, both from a technical standpoint and a business standpoint. Without analyzing external threat intelligence data with a complement of internal data sources (both humans and machines) you will either miss threats you need to know about, or chase threats you shouldn’t be.
Putting threat intelligence feeds into context and understanding what you need to do with the data can steer your business down the right path. You can then map to the context of the business impact so your information security team can prioritize how it will act — and keep the business protected from cyberattacks.
To find out more about how threat intelligence can help in protecting your business, take a look at our white paper “Best Practices for Applying Threat Intelligence.”