Threat Intelligence

7/13/2018
10:30 AM
Tom Badders
Tom Badders
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Structure an Enterprise-Wide Threat Intelligence Strategy

To keep an organization safe, you must think about the entire IT ecosystem.

The ever-expanding range and diversity of cyber threats make it difficult for organizations to prioritize their offensive and defensive strategies against attackers. From malware, ransomware, and other attacks coming from the outside, to insider threats and system vulnerabilities from within, today's expanded attack surfaces cut across the whole enterprise landscape — and that means an enterprise's threat intelligence strategy must address the entire IT ecosystem.

To be effective, threat intelligence must be proactive, comprehensive, and done in a way that doesn't inadvertently create more risk. Unfortunately, as a recent Ponemon survey illustrates, most organizations fall short of this goal — tripped up by a range of challenges, including a lack of expertise and overwhelming volumes of data. Improved threat intelligence comes from improving the strategy, techniques, and tools employed by enterprises to probe their networks for weakness and shore up defenses and resiliency.

A "Dirty Internet" of Threats and Vulnerabilities
The digital universe is vast, but it's also "dirty" in the sense of data seeping across perimeters and network boundaries. This "digital exhaust" — evidence of visits, searches, purchases, and other behaviors that users leave behind on the Internet — is growing quickly and is grist for hackers looking to penetrate systems and databases.

Unfortunately, one of the most valuable forms of digital exhaust comes as a by-product of poorly designed threat intelligence. Too often, threat intelligence involves tools and processes that, while designed to monitor the perimeter and internal systems for threats, unwittingly leave behind artifacts of that troubleshooting activity that malicious actors can ultimately use against the organization. 

This "fly on the wall" process of observation could even uncover specifics about who is conducting the threat intelligence and what devices they're using. Adding to the challenge, today's threat actors are sophisticated enough that firewalls, VPNs, proxy servers, and other traditional secure access solutions are too weak to stop them.

What's needed is a new approach to operating on the Internet that makes use of managed attribution techniques, including data obfuscation, identity and location masking, and multiple levels of encryption and authentication to reduce and virtually eliminate the attack surface. In other words, an ideal threat intelligence strategy would not only protect data from breaches but also protect data in the event of a breach. Both goals can be achieved.

Anonymity and Managed Attribution
Anonymity is an important component. This is where technology is used to conceal your identity, location, and details about the device you are using as you conduct threat intelligence. Managed attribution takes things a step further, not only hiding your identity and location, but actually making it appear as if you are someone else operating from somewhere else — a soccer parent in Manitoba, say, instead of a systems analyst in Arlington, Virginia.

Further, organizations need to manage both the technical and personal side of user identities. Technical attribution might involve a virtual desktop that's clean and separate from the data on an actual device; there are even systems that frequently and randomly swap IP addresses at the point of presence. Personal attribution, meanwhile, involves multiple profiles that can be swapped out as quickly and easily as signing in and out of the platform. Suddenly, the soccer parent in Manitoba becomes a street merchant in Madrid. 

Securing Data for a Secure Future
Ultimately, the entire network architecture should be cloaked from the view of threat actors looking to seize access and advantage. This involves obfuscating network operations through a cloud of encryption and IP hopping capabilities that mask user and organizational data through a series of complex pathways, directory nodes, and networking hops that scramble the meaning and context around data and its users.

While the attack surface can't be eliminated entirely, obfuscation can turn that surface into a meaningless or unappealing target to potential threat actors. It's even possible to obfuscate entire pieces of infrastructure — email systems, application servers, and storage facilities — and this can all be designed and implemented in the cloud.

The innovation around threat intelligence is constant, and for good reason. It's not just that organizations need to protect assets today; they also need to be prepared (as much as possible) for tomorrow's unknown and unknowable threats. Effective threat intelligence can also help organizations meet regulations such as the EU's General Data Protection Regulation as well as existing standards that require them to employ technical and organizational measures that ensure an appropriate level of security.

For all these reasons, improved threat intelligence can and should be a priority for any organization or government agency. The right strategies, tools, and partners can lead to a higher level of security that keeps both cyber-threat teams and organizational data safe and secure from evolving and ever-growing cyber threats.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Tom Badders is the Senior Product Manager for Secure Mobility Products and Services at Telos Corporation, a leading provider of continuous security solutions and services for the world's most security-conscious agencies and organizations. Leveraging over 40 years of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...