Vulnerabilities / Threats

11/7/2018
10:30 AM
Jonathan Zhang
Jonathan Zhang
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Reasons Why Threat Intelligence Doesn't Work

Cybersecurity folks often struggle to get threat intelligence's benefits. Fortunately, there are ways to overcome these problems.

Offense is the best defense. To defend well, we must take the initiative. When we are aware, we can prepare. Whatever the motto of your cybersecurity team, fighting cybercrime requires keeping an ear to the ground to anticipate threats.

That's what threat intelligence is all about, isn't it? Identifying and mending the weak spots of corporate IT infrastructure before someone maliciously exploits them instead. At least that's what the theory says. And many organizations are buying into it as global spending in threat intelligence services will surpass $1.4 billion in 2018 — up from $905.5 million in 2014.

The problem is, CSOs and cybersecurity folks often struggle to understand threat intelligence's benefits. Let's examine the reasons why and who's to blame — and how to move beyond those problems.

1. Mismatch with Particular Cybersecurity Needs.
Cybersecurity teams sometimes see threat intelligence as the quick fix that will protect them from hackers and scammers. This expectation is largely overinflated. The fact is, there is no such thing as one-size-fits-all threat intelligence.

Instead, threat intelligence solutions must be implemented as per the particular security needs of each organization, suborganizations, or even department — or all that's being achieved is accumulating irrelevant data that gives a false sense of security.

A financial services company, for example, probably wants to pay close attention to website forgery and malicious contact forms aimed at deceiving targets into revealing their credit card and bank account numbers.

A pressing concern for technology providers, in parallel, is making sure proprietary information (such as trade secrets and R&D advancements) do not fall into the wrong hands, be it due to email spoofing, poor encryption, or malware.

2. No Resources to Act Upon Threat Intelligence
Say that you have access to insights. How do you intend to use that information to respond to threats coming your way? The reality is that 44% of daily security alerts are never investigated, and threat intelligence data may end up unutilized, too, for a variety of reasons.

It could be that nobody in the organization knows how to interpret what they're looking at, much less act on it. Or they may lack leadership's commitment to the cause and the corresponding budget needed to lift up defenses.

Either way, knowing there is something wrong without understanding security flaws or having the means to resolve the situation does not reduce the prevalence or intensity of cyberattacks.

To overcome that gap, it's advisable to get C-level sponsors who are ready to allocate resources to train relevant employees about threat intelligence's working practices and the concrete steps for tackling flagged vulnerabilities.

3. Treating Threat Intelligence Like Any Other Cybersecurity Effort
There is an undeniable connection between threat intelligence and other cybersecurity initiatives. Threat intelligence is here to provide direction to security awareness undertakings, spot server misconfigurations, and stay on top of new forms of malware, among other things.

Following that train of thought, it is easy to assume that any security professional is ready to handle threat intelligence like a pro. However, there is a significant disparity in orientation and methodology.

More than anything else, threat intelligence is the job of an analyst whose expertise helps make sense of the big picture and establish a cybersecurity road map for proactive threat prevention and interception. That's much unlike the role of an incident response specialist trained to be reactive and respond to individual threats as they occur.

Acknowledging the discrepancy is essential, and that means responsibilities may need to be redistributed within cybersecurity teams — potentially dedicating someone to monitoring threats as they emerge in light of existing and recently acquired online assets.

4. Failing to Integrate Threat Intelligence
How can you make sure that your cybersecurity staff uses threat intelligence insights? The quickest path to product adoption is often by linking innovations to what users already know, and threat intelligence is no exception.

In fact, it's essential to connect threat intelligence and its data feeds to commonly deployed software such as, for example, security information and event management applications. Doing so will speed up implementation and make insights more accessible as part of a comprehensive cybersecurity program.

Lack of integration, on the other hand, not only makes threat intelligence less effective, it also adds to the workload of cybersecurity teams that need to manually assemble and compare data from yet another source to assess the infrastructure's well-being.

5. Disregarding the Lingo of Threat Intelligence
Depending on whom you ask, threat intelligence can mean different things, and its corresponding language can vary significantly. Fail to account for this and stakeholders at various levels of the organization may quickly get lost in translation.

When senior managers talk about threat intelligence, chances are that the focus will be on high-level decision-making. Where should this financial year's security budget be spent? Which technology vendors should be kicked out for not being compliant with corporate security policies?

But sit with cybersecurity analysts and the conversation will quickly take a technical turn. Are our SSL certificates up to date? Shall we better connect to that malware database to stay on top of ransomware attacks? What are the top 100 websites employees interact with on a daily basis?

Through internal communications and awareness initiatives, it's necessary to ensure interested parties become aware of the different perspectives threat intelligence can take. In general, these can be broken down into two levels, one being concerned about strategic undertakings such as M&A and long-term partnerships, and the other about operational matters — e.g., the reinforcements, fixes, and configurations of websites, servers, and applications.

Threat intelligence, like any other new practice, comes with its load of promises and benefits — most of which have seduced CSOs and their security teams. Misconceptions and misunderstandings like the ones discussed in this post, however, will keep on delaying threat intelligence's full-blown deployment and potential to tackle cybercrime.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jonathan Zhang, CEO/Founder of WhoisXML API and TIP, is a serial entrepreneur in the infosec industry and the founder of whoisxmlapi.com and threatintelligenceplatform.com. He has vast experience in building tools, solutions, and systems for CSOs, security analysts, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan TIP/WhoisXML API
100%
0%
Jonathan TIP/WhoisXML API,
User Rank: Author
11/10/2018 | 3:03:26 PM
Re: Making threat intel. more effective through NLP
Yes that's a great example of automatically act upon threat intel data!  The field of automated threat intelligence is emerging with advancement in AI and NLP.  Its ultimate goal is to free analysts from mountains of data and even make decisions without human intervention.
AviC525
50%
50%
AviC525,
User Rank: Author
11/8/2018 | 5:13:36 PM
Making threat intel. more effective through NLP
Good article!

One of the ways to make threat intel. data more effective is by using NLP algotihms to automatically "read"  the threat intel. docs  (human written information) and classify the content into an "attacker intent" categories. This  process helps the analysts to accelerate invetigation and response operations 

 
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.