Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/16/2015
10:30 AM
Stu Solomon
Stu Solomon
Commentary
100%
0%

Harnessing The Power Of Cyber Threat Intelligence

Here are six real-world examples of how changing your modus operandi from reactive to proactive can drive rapid response to the threats that matter.

A core tenant of cyber threat intelligence or CTI is that it has to be “consumable” and “actionable” to be useful. Without these basic underlying concepts, the best CTI in the world, cultivated from the most beneficial sources, and containing the most informed analysis, is nothing more than interesting; and interesting doesn’t mean useful. So the real question is, how do you harness the power of CTI to drive decision advantage and proactive, informed decision making in an ever increasing threat environment?

There is a great deal of power that comes along with knowing your adversary. By mapping his (or her) past activities and capabilities, historical and current affiliations, and ability to influence within a real and aspirational community of likeminded individuals,  understanding his current readiness and objectives, and anticipating his future ambitions, you can obtain a position of dominance that can drastically reduce his chances of success.  

This knowledge also extends to both the technical and non-technical nature of the tools and tactics that he has or aspires to use to achieve a real impact.  The marriage of these concepts enables actionable knowledge of what defensive postures to take, and how to best position to recognize, detect, mitigate, or in some cases, completely avoid the impacts associated with malicious intent. 

Whether you are a sports club conducting scouting on an upcoming opponent, a Fortune 500 company conducting competitive research, or a nation state monitoring capabilities of a foe, the best way to win is to know your opponent – and the quickest way to lose is to walk forward in any engagement without that knowledge. Unfortunately, we’ve seen the latter play out far too many times over the past decade in information security, where a lack of deep intelligence on our adversaries has resulted in countless breaches.

“Know thy enemy” & improve every workflow
This is the fundamental principle fueling the intelligence-led security revolution that is taking place. As this transition occurs, and as you begin developing your own intelligence-led security practices, it is vitally important that you have the best understanding of the CTI market and a solid handle on how to integrate CTI into your workflows.

Many of your peers are already using CTI to revolutionize and reinvigorate the relationship between security and the business – changing their operating models from reactive to proactive and risk based. True CTI (not raw information but intelligence) helps organizations prioritize better and drive rapid response to the threats that matter. It helps them get ahead of the curve on threats that are “over the horizon” by driving the right investments through risk-based security decisions that map to the needs of the business.

[Learn more about the fundamentals of cyber threat intelligence from Stu during his conference session, Joining the Intelligence-Led Revolution, on Thursday, April 30, at Interop Las Vegas.]

Ideally, in that process, the same piece of intelligence can service the needs of strategic, sperational and tactical leaders providing capabilities which enable future oriented decision making, prioritization of activities to counteract the activities of the real vs the perceived threats, and simultaneously enable the optimization of detective and preventative measures up and down the security stack.

Here are six examples of how CTI is working right now:

Better Board & Business Communications: Look for intelligence that isn’t just deep into the technical weeds. Keep in mind that you can harness the power of threat intelligence to drive strategic decisions. Provide executive summaries written in layman’s language with reporting on adversaries, vulnerabilities and exploitation, and security trends geared specifically towards business leaders. These types of reports help CISOs communicate to the rest of the business, providing tools to highlight the need for action and when required even debunk hype in the industry.

Improved Patch Management Process: True CTI can help GRC teams streamline patch management processes. Using actionable vulnerability and exploitation data, these teams are able to better prioritize which vulnerabilities to patch and on what time schedule.

More Effective “Attack Surface” Protection Systems: CTI plays a key role in making existing security tools better. Many legacy security protection tools are blind to today’s threats. Further, even when tools can be configured to automatically block based off of data in raw threat feeds, network operations often does not turn this feature on for fear that they will block the wrong things and adversely impact the business. With highly validated CTI, organizations that are otherwise reticent to turn on automatic blocking can now block with confidence.

Situational Awareness & Event Prioritization: High fidelity CTI enables SOC teams to prioritize which events are most important by delivering more power to security information and event management (SIEM) systems.

IR Attribution & Messaging: CTI can help incident responders understand who is targeting their organization and improve communications across the business – resulting in better informed response. CTI changes the discussion from “We were hit with malware variant x” to “an actor group from Eastern Europe is targeting us, and others in our sector, and actively trying to steal personally identifiable information (PII). They can use this PII to take out credit cards in our customer’s names.”

Find & Fix Everything: True CTI helps forensic teams determine incident attribution and make sure they find and fix everything. Figuring out who is attacking you is impossible without adversary-focused intelligence. Further, if you don’t know who attacked you or what else they may have used against you in the past, you or your third-party forensic team many not find and fix everything.

CTI is a hot topic in our industry at current (especially against the backdrop of the newly announced Cyber Threat Intelligence Integration Center) and for good reason. Hopefully, as you look at this sector my thoughts will prove useful…and hopefully you have some thoughts of your own to share. I welcome comments and a healthy dialogue on the subject.

As a member of the iSIGHT Partners executive team, Stu Solomon is responsible for spearheading the company's efforts to manage operational, legal and reputational risks. Mr. Solomon also leads iSIGHT Partners internal legal team. Previously, Stu led the teams charged with ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CarlosF906
50%
50%
CarlosF906,
User Rank: Apprentice
4/18/2015 | 8:06:02 AM
IPv6 vulnerability detection
Well written and relevant. The article states that "many legacy security tools are blind to today's threats" ... I dare to say that as we "cautiously" transition to IPv6, this reality will be magnified exponentially. Curious to hear about what iSIGHT Partners has to contribute to the IPv6 vulnerability detection conversation. twitter: @CyberFernandes
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2015 | 11:51:05 AM
Excellent examples of how CTI is working in the real world!
Thanks for this, Stu. Sounds like a fascinating topic for a virtual discussion and also at Interop. 

 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...