The Recorded Future Blog
Threat Intelligence Tweaks That’ll Take Your Security to the Next Level
by Pete Hugh on March 15, 2016
- Conduct internal hunting projects to maintain strong, skilled, and battle-tested security teams.
- If your needs aren’t serviced by the market, creating a proprietary capability in-house may well be the best use of resources.
- Rigorously test your defensive capabilities by collaborating with your red team on real-world POC exercises.
Addictive, isn’t it?
Hunting threats. Remediating vulnerabilities. Tirelessly staying abreast of the latest threat intelligence.
And as your knowledge grows, you realize how much more you could be doing to keep your organization safe. So now that you have the fundamentals covered, what’s next?
With these three threat intelligence tweaks, you can take your cyber security from the basics to the world-class level.
Sharpen Your Claws With Internal Hunting
Think of your security mechanisms like an army in peacetime. Just because nothing much seems to be happening right now, doesn’t mean you should sit back and wait.
Internal hunting is the process of aggressively tracking and eliminating threats. This includes things like device and network mapping, distinguishing between good and bad behavior, searching for anomalies, and setting up/monitoring honeypots.
This type of proactive security work has a whole host of benefits, including:
- Enhanced contextual threat intelligence.
- Better visibility of potential weaknesses.
- Early and accurate threat detection.
- Opportunity to control and minimize damage from unexpected threats.
- Improved defenses against identified threats.
- The ability to avoid fines and bad publicity.
And on the face of it, these proactive activities seem like sensible security measures, which of course they are.
But there’s more to it than that.
During times of peace, armies don’t simply conduct exercises with the aim of maintaining skills in shooting, building clearance, and so on. They do it because it stops the troops from becoming soft and lazy.
When a war breaks out, you don’t just need soldiers with well-practiced skills, you need them to be mentally ready.
The same is true of your information security teams.
By engaging in internal hunting, your security teams will constantly hone and develop their skills. This is exactly what threat actors are doing, so why let your defenses fall behind?
They’ll also learn to work effectively as a team. People inevitably have strengths and weaknesses, which can be brought to the fore through enhanced teamwork and information sharing.
Last, and perhaps most difficult to quantify, is the tangible evidence of return on investment (ROI) to the organization. Executive teams are increasingly becoming aware of how damaging a successful breach can be, but very few security or threat intelligence activities can be reliably be measured in terms of ROI.
On the other hand, the success of an internal hunting operation is eminently measurable, and bound to be well received.
Action: Aggressively track and eliminate threats through internal hunting.
Result: Tried and tested security teams.
Realize Nobody Sees Everything — And Act Accordingly
When you start to take threat intelligence seriously, there’s one fact that should always be kept firmly in mind.
Nobody sees everything. Not even the NSA.
And knowing this, you’ll be able to approach vendors with realistic expectations. Their solutions can provide strategic threat intelligence, but they probably aren’t going to provide information about specific events within your network.
And this is not to say that you should avoid open source intelligence (OSINT) platforms. They provide a great deal of value, and will enable you to make informed, contextual decisions about both proactive and reactive security activities.
But what it does mean is that, under the right circumstances, an internal effort to create a proprietary threat intelligence capability can be an excellent use of resources.
Do you have a need that isn’t serviced by the market? Then perhaps it’s time to solve your own problem.
Imagine, for instance, that you develop a crawler to analyze the (Web) page code of the organization’s top 5,000 daily Internet destinations. Each day this crawler will provide tangible data points, which over time become an extremely effective mechanism for identifying drive-by attacks, or other anomalous activity.
This is the sort of valuable threat intelligence that you’ll never receive from an off-the-shelf solution, but which could potentially help you prevent (or minimize the impact of) future breaches.
Not only that, if you develop the solution in-house, you’ll be honing skillsets that could become extremely handy in the future.
Action: Develop in-house cyber security capabilities.
Result: Threat intelligence that’s tailored to your environment.
Use Real-World Scenarios
Running real-world, or proof of concept (POC) exercises is truly a sign of next-level security.
You may technically be prepared for certain threat actor tactics, techniques, and procedures (TTPs), but until you’ve done it in practice you never really know.
That’s where your red team comes in.
The idea is to employ real-world TTPs in a controlled environment to see what affect they would have in your environment. And when you start doing this, you might be surprised by the results.
That malware you thought you were safe from? Turns out that when deployed in your environment it has a completely unexpected side effect that you might not be prepared to resolve.
By engaging in rigorous red team testing procedures, you can identify these little surprises ahead of time, and greatly improve your organization’s defensive capability.
Now, of course, building these real-world scenarios and measuring the effectiveness of your defensive controls requires time and resources. If you want real results, this is not something that can be dumped on already-busy security professionals.
But if you really want to develop a world-class security facility, rigorously and routinely testing your defensive capabilities is an absolute must.
Action: Use POC exercises to rigorously test your defensive capabilities.
Result: Greater understanding of the potential impact a breach might have on your environment.
Proactive Beats Reactive Every Time
You’ve noticed, no doubt, that each of the approaches suggested above is highly proactive.
And there’s a good reason for that.
Threat actor TTPs continue to evolve, and simply building a wall around your assets is no longer enough to keep them out. If you want to defend against determined, skilled attackers, you’re going to need to start thinking the way they do.
If you can manage to do that reliably, you’re a long way towards fielding a truly world-class cyber security facility.