Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/15/2016
10:30 AM
Jonathan Couch
Jonathan Couch
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Hurricanes, Earthquakes & Threat Intelligence

You must be prepared for foreseeable attacks as well as the ones that sneak up on you.

Organizations deal with two types of cyberthreats: hurricanes and earthquakes. Hurricanes are those attacks you can see coming; earthquakes, you can't. Both are inevitable, and you need to plan and take action accordingly. This starts with an understanding of what threat intelligence is and how to make it relevant and actionable. Threat intelligence can help you transition from constantly reacting to being proactive. It allows you to prepare for the hurricanes and respond to the earthquakes with an efficient, integrated approach.  

Eliminate Noise
Mention threat intelligence and most organizations think about multiple data feeds to which they subscribe — commercial sources, open source, and additional feeds from security vendors — each in a different format and most without any context to allow for prioritization. This global threat data gives some insight into activities happening outside of your enterprise — not only attacks themselves, but how attackers are operating and infiltrating networks.

The challenge is that most organizations suffer from data overload. Without the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysts and action, this threat data becomes noise: you have alerts around attacks that aren't contextualized, relevant, or a priority. To make more effective use of this data, it must be aggregated in one manageable location and translated into a uniform format so that you can automatically get rid of the noise and focus on what's important.

Focus on Threats
With global threat data organized, you can focus on the hurricanes and earthquakes that threaten your organization. Hurricanes are the threats you know about, can prepare for, protect against, and anticipate based on past trends. For example, based on research, say that we know a file is malware. This intelligence should be operationalized — turned into a policy, a rule, or signature and sent to the appropriate sensor — so that it can prevent bad actors from stealing valuable data, creating a disruption, or causing damage. As security operations become more mature, you can start to get alerts on these known threats in addition to automatically blocking them so you can learn more about the adversary. This allows you to focus on the attacks that really matter.

Earthquakes are unknown threats, or threats that you may not have adequate countermeasures against, that have bypassed existing defenses. Once they're inside the network, your job is to detect, respond, and recover. This hinges on the ability to turn global threat data into threat intelligence by enriching that data with internal threat and event data and allowing analysts to collaborate for better decision making. Threat intelligence helps you better scope the campaign once the threat is detected, learn more about the adversary, and understand affected systems and how to best remediate. By correlating events and associated indicators from inside your environment (e.g., SIEM alerts or case management records) with external data on indicators, adversaries, and their methods, you gain the context to understand the who, what, when, where, why, and how of an attack.

Going a step further, applying context to your business processes and assets helps you assess relevance. Is anything the organization cares about at risk? If the answer is "no," then what you suspected to be a threat is low priority. If the answer is "yes," then it's a threat. Either way, you have the intelligence you need to quickly take action.

Make Intelligence Actionable
Intelligence has three attributes that help define "actionable."

  • Accuracy: Is the intelligence reliable and detailed?
  • Relevance: Does the intelligence apply to your business or industry?
  • Timeliness: Is the intelligence being received with enough time to do something?

An old industry joke is that you can only have two of the three, so you need to determine what's most important to your business. If you need intelligence as fast as possible to deploy to your sensors, then accuracy may suffer and you might expect some false positives. If the intelligence is accurate and timely, then you may not have been able to conduct thorough analysis to determine if the intelligence is relevant to your business. This could result in expending resources on something that doesn't present a lot of risk.

Ultimately, the goal is to make threat intelligence actionable. But actionable is defined by the user. The security operations center typically looks for IP addresses, domain names, and other indicators of compromise — anything that will help to detect and contain a threat and prevent it in the future. For the network team, it's about hardening defenses with information on vulnerabilities, signatures, and rules to update firewalls, and patch and vulnerability management systems. The incident response team needs intelligence about the adversary and the campaigns involved so they can investigate and remediate. And the executive team and board need intelligence about threats in business terms — the financial and operational impact — in order to increase revenue and protect shareholders and the company as a whole. Analysts must work together and across the organization to provide the right intelligence in the right format and with the right frequency so that it can be used by multiple teams.

Operationalizing threat intelligence takes time and a plan. Many organizations are already moving from a reactive mode to being more proactive. But to make time to look out at the horizon and see and prepare for hurricanes while also dealing with earthquakes, organizations need to move to an anticipatory model with contextual intelligence, relevance, and visibility into trends in the threat landscape.

Related Content:

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.