Threat Intelligence

6/29/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Sharing Intelligence Makes Everyone Safer

Security teams must expand strategies to go beyond simply identifying details tied to a specific threat to include context and information about attack methodologies.

Cybersecurity is sometimes viewed as being inherently reactive. But given the security issues we face today, security professionals must push beyond merely blocking an attack before a network breach. Cybersecurity teams must also have the ability to disrupt an attack from achieving its goal. This might sound similar to blocking an attack, but there's more to it.

This foresight can be acquired through knowledge of the kill chain, which refers to models that map the stages of attacks from initial system probing and network penetration to the final exfiltration of valuable data. Some people in our industry describe this process as "cyber threat intelligence."

The Strategy Behind Cyber Threat Intelligence
Such a strategy goes beyond signatures or details tied to a specific threat. It could also include context and information about attack methodologies, tools utilized to obscure an infiltration, methods that hide an attack within network traffic, and tactics that evade detection.

It is also important to understand the different kinds of data under threat, the malware in circulation, and, more importantly, how an attack communicates with its controller. These elements of foresight enable the disruption of an attack at any of the points mentioned above.

But threat intelligence is also about being qualitative, at least to the degree that it can be leveraged to respond to an attack, whether that means a forensic analysis for full recovery or the attribution and prosecution of the people responsible for the attack.

Sources of Cyber Threat Intelligence
Information sharing is a critical aspect of any security strategy. It's critical to compare the network or device you are trying to protect against a set of currently active threats; this allows you to assign the right resources and countermeasures against different attacks.

To leverage intelligence, start by accessing a variety of threat intelligence sources, some of which might include:

  • Actionable insights from manufacturers: These arrive as a part of regular security updates or, more accurately, as a signature with the ability to detect a known threat.
  • Intelligence from local systems and devices: When you establish a baseline for normal network behavior, it becomes easier to assess when something is out of whack. Spikes in data, an unauthorized device attempting contact with other devices, unknown applications rummaging the network, or data being stored or collected in an unlikely location are all forms of local intelligence. This can be used to identify an attack and even triangulate on compromised devices.
  • Intelligence from distributed systems and devices: As is the case with local intelligence, similar intelligence can be collected from other areas of the network. As they expand, networks provide and create new infiltration opportunities for attacks or threats. Also, different network environments — virtual or public cloud, for example  often run on separate, isolated networking and security tools. In those cases, centralized process for both the collection and correlation of these different intelligence threads become necessary.
  • Intelligence from threat feeds: Subscription to public or commercial threat feeds help organizations enhance their data collection, both from their own environment and those collected from a regional or global footprint in real time. It could boil down to two formats:
    • Raw feeds: Security devices simply cannot consume raw data, usually because it lacks context. This intelligence is utilized better post-processing from customized tools or local security teams. Such an effort converts the raw data into a more practical format. An added advantage with raw feeds is that they're much closer to real time and are often cheaper to subscribe to.
    • Custom feeds: Information processed with context is easily consumed by security tools; an example could be specific information delivered using tailored indicators of compromise. Vendors may customize the data for consumption by an identified set of security devices. At the same time, organizations also need to ensure that their existing tools support common protocols for reading and utilizing the data.
  • Intelligence between industry peers: Information sharing has become an advantageous norm for many. Several groups, such as ISACs (information sharing and analysis centers) or ISAOs (information sharing and analysis organizations), share threat intelligence within the same market sphere, geographic region, or vertical industry. They are especially useful for identifying threats or trends affecting your peers with the potential to impact your own organization.

Intelligence in the corporate ecosystem is important, but the opportunity to reduce the number of threats, potentially exposing everyone to less risk, is more valuable than the advantage received from holding on to this information. Sharing is an important aspect of any security strategy. Then again, so is access to actionable intelligence in real time.

Whatever the case, just remember that sharing your own threat intelligence serves to make everyone safer.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Sanjay Vidyadharan heads Marlabs' innovations team, which is responsible for next-gen digital technology services and digital security. Sanjay's team plays a key role in innovating new technology platforms and intellectual properties. Under his leadership, Marlabs has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14337
PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
CVE-2018-14329
PUBLISHED: 2018-07-17
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack.
CVE-2018-14331
PUBLISHED: 2018-07-17
An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.
CVE-2018-14333
PUBLISHED: 2018-07-17
TeamViewer through 13.1.1548 stores a password in Unicode format within TeamViewer.exe process memory between "[00 88] and "[00 00 00]" delimiters, which might make it easier for attackers to obtain sensitive information by leveraging an unattended workstation on which TeamViewer has ...
CVE-2018-14334
PUBLISHED: 2018-07-17
manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file upload because detection of a prohibited file extension simply sets the $errm value, and does not otherwise alter the flow of control. Consequently, one can upload and execute a .php file, a similar issue to CVE-2018-8766.