4 Tips For A Successful Cyber Threat Intelligence Program

Some alarming new statistics this month.  With COVID-19 as a backdrop, cyber-attacks are up 14,000%, led by a spike in ransomware.  A  6,000% increase in SPAM was revealed, as hackers take advantage of nervous users with fictitious coronavirus news and miracle cures.

Of course, an explosion of cyber-attacks around COVID-19 comes as no surprise to cybersecurity professionals.  Cybercriminals have perfected their ability to make an illegal buck on human misery.  Global pandemic?  Great news for online bad guys – the world population is a potential target.

Fortunately, cyber-defenders have a way to fight back.

“if you know your enemy and know yourself, you need not fear the results of a hundred battles.”  From a simple cybersecurity perspective, this means comparing the latest and greatest cyber threat intelligence (CTI) with what’s happening on your organization’s network looking for malicious files, behaviors, and network traffic.

Yeah, I know, this is an obvious conclusion, but many organizations continue to take a very basic approach to CTI. For example:

Leaning on vendors. Part of being an endpoint or network security vendor is keeping up with attack patterns, developing countermeasures, and sharing them with customers.  Okay, but this is a first line of defense and nothing more.

Equating threat intelligence with indicators of compromise. Cyber-adversaries use web sites, IP addresses, and files within their attacks.  Threat intelligence researchers watch for this activity and report the malicious things they find as indicators of compromise (IoCs).  Blocking malicious IoCs is useful, but it’s a baby step.

Limited use of threat intelligence feeds. I’m always surprised that sophisticated organizations spend hundreds of thousands of dollars for commercial threat feeds with the attitude that when it comes to CTI, more is always better.  They then use homegrown tools for CTI management or feed IoCs into their SIEM but perform little further analysis.  How is this strategy worthwhile?

Getting more from cyber threat intelligence

Operationalize CTI programmatically. There are really two things you do with CTI: operationalize and analyze it.  Operationalization is the process of using threat intelligence information to fine tune security controls in real-time.  Yes, security technology vendors can help here but leading organizations centralize all cyber threat intelligence, compare different feeds, and then create runbooks to turn malicious IoCs into blocking rules on firewalls, web gateways, endpoints, email security filters, etc.  Many organizations use SOAR tools to help automate this process.

Analyze, analyze, analyze. Leading organizations analyze everything – open source threat feeds, commercial threat feeds, blogs, social media posts, dark web chatter, etc.  Beyond IoCs, these organizations want to understand who is attacking them and the tactics, techniques, and procedures they are using.  This intelligence is collected, processed, analyzed for real-time threats, and then stored for future use.  Analysis tends to be very focused on adversaries and campaigns that pose a direct risk to the organization.  Strong CTI programs are formalized, documented, and process-driven requiring purpose-built threat intelligence platforms.  These systems are extremely useful for managing massive CTI volumes, CTI analysis, comparing threat intelligence to internal behavior, hunting, and even have SOAR-like capabilities for threat remediation.

When it comes to threat intelligence, sharing is caring.  Leading organizations participate in industry ISACs and local communities as CTI providers and consumers.  Additionally, I’ve never met a threat analyst who doesn’t have a strong personal network they regularly communicate with on an informal basis.  Oh, and part of collaboration is knowing when you need help.

Don’t forget the past. Something that seemed totally benign 6 months ago may be a needle in the proverbial haystack today.  When new malicious campaigns arise, threat analysts poke around security telemetry to see if they missed something.  Threat hunting can require maintaining historical security data records – one reason why we are seeing proliferation of security data lakes built on the ELK stack or commercial offerings like Google Chronicle.

A solid threat intelligence program isn’t easy and it’s incredibly hard to find good talent.  Still, its importance can’t be overstated.  As Sun Tzu might say, if you focus on internal security data and minimize threat intelligence analysis, you only see half the battlefield.  CISOs should take an honest look at their capabilities and outsource CTI analysis and threat hunting if they don’t have the chops themselves.

4 Tips For A Successful Cyber Threat Intelligence Program

1. Threat intelligence programs should cover things like reputational risk, typosquatting, dark web chatter, etc.
2. Organizations with a small number of full- or part-time security professionals may want to explore whether a threat intelligence gateway (TIG) can help bridge their skills gap. Some TIG vendors are really white glove CTI analysis services.
3. Threat intelligence analysis should always be tightly coupled with risk assessment, asking the question: “Are we vulnerable to this type of attack?” This is where continuous automated penetration and attack testing can help.
4. Deception technology is also applicable here and plays a duel role of threat intelligence sensor and attack decoy.

There is little we can do medically about COVID-19 today, but we certainly can better defend our digital assets.  To do so, we better get to know the enemy at a much more intimate level.