Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/13/2018
10:30 AM
Tom Badders
Tom Badders
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Structure an Enterprise-Wide Threat Intelligence Strategy

To keep an organization safe, you must think about the entire IT ecosystem.

The ever-expanding range and diversity of cyber threats make it difficult for organizations to prioritize their offensive and defensive strategies against attackers. From malware, ransomware, and other attacks coming from the outside, to insider threats and system vulnerabilities from within, today's expanded attack surfaces cut across the whole enterprise landscape — and that means an enterprise's threat intelligence strategy must address the entire IT ecosystem.

To be effective, threat intelligence must be proactive, comprehensive, and done in a way that doesn't inadvertently create more risk. Unfortunately, as a recent Ponemon survey illustrates, most organizations fall short of this goal — tripped up by a range of challenges, including a lack of expertise and overwhelming volumes of data. Improved threat intelligence comes from improving the strategy, techniques, and tools employed by enterprises to probe their networks for weakness and shore up defenses and resiliency.

A "Dirty Internet" of Threats and Vulnerabilities
The digital universe is vast, but it's also "dirty" in the sense of data seeping across perimeters and network boundaries. This "digital exhaust" — evidence of visits, searches, purchases, and other behaviors that users leave behind on the Internet — is growing quickly and is grist for hackers looking to penetrate systems and databases.

Unfortunately, one of the most valuable forms of digital exhaust comes as a by-product of poorly designed threat intelligence. Too often, threat intelligence involves tools and processes that, while designed to monitor the perimeter and internal systems for threats, unwittingly leave behind artifacts of that troubleshooting activity that malicious actors can ultimately use against the organization. 

This "fly on the wall" process of observation could even uncover specifics about who is conducting the threat intelligence and what devices they're using. Adding to the challenge, today's threat actors are sophisticated enough that firewalls, VPNs, proxy servers, and other traditional secure access solutions are too weak to stop them.

What's needed is a new approach to operating on the Internet that makes use of managed attribution techniques, including data obfuscation, identity and location masking, and multiple levels of encryption and authentication to reduce and virtually eliminate the attack surface. In other words, an ideal threat intelligence strategy would not only protect data from breaches but also protect data in the event of a breach. Both goals can be achieved.

Anonymity and Managed Attribution
Anonymity is an important component. This is where technology is used to conceal your identity, location, and details about the device you are using as you conduct threat intelligence. Managed attribution takes things a step further, not only hiding your identity and location, but actually making it appear as if you are someone else operating from somewhere else — a soccer parent in Manitoba, say, instead of a systems analyst in Arlington, Virginia.

Further, organizations need to manage both the technical and personal side of user identities. Technical attribution might involve a virtual desktop that's clean and separate from the data on an actual device; there are even systems that frequently and randomly swap IP addresses at the point of presence. Personal attribution, meanwhile, involves multiple profiles that can be swapped out as quickly and easily as signing in and out of the platform. Suddenly, the soccer parent in Manitoba becomes a street merchant in Madrid. 

Securing Data for a Secure Future
Ultimately, the entire network architecture should be cloaked from the view of threat actors looking to seize access and advantage. This involves obfuscating network operations through a cloud of encryption and IP hopping capabilities that mask user and organizational data through a series of complex pathways, directory nodes, and networking hops that scramble the meaning and context around data and its users.

While the attack surface can't be eliminated entirely, obfuscation can turn that surface into a meaningless or unappealing target to potential threat actors. It's even possible to obfuscate entire pieces of infrastructure — email systems, application servers, and storage facilities — and this can all be designed and implemented in the cloud.

The innovation around threat intelligence is constant, and for good reason. It's not just that organizations need to protect assets today; they also need to be prepared (as much as possible) for tomorrow's unknown and unknowable threats. Effective threat intelligence can also help organizations meet regulations such as the EU's General Data Protection Regulation as well as existing standards that require them to employ technical and organizational measures that ensure an appropriate level of security.

For all these reasons, improved threat intelligence can and should be a priority for any organization or government agency. The right strategies, tools, and partners can lead to a higher level of security that keeps both cyber-threat teams and organizational data safe and secure from evolving and ever-growing cyber threats.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Tom Badders is the Senior Product Manager for Secure Mobility Products and Services at Telos Corporation, a leading provider of continuous security solutions and services for the world's most security-conscious agencies and organizations. Leveraging over 40 years of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8913
PUBLISHED: 2020-08-12
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a dir...
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183