Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/29/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Sharing Intelligence Makes Everyone Safer

Security teams must expand strategies to go beyond simply identifying details tied to a specific threat to include context and information about attack methodologies.

Cybersecurity is sometimes viewed as being inherently reactive. But given the security issues we face today, security professionals must push beyond merely blocking an attack before a network breach. Cybersecurity teams must also have the ability to disrupt an attack from achieving its goal. This might sound similar to blocking an attack, but there's more to it.

This foresight can be acquired through knowledge of the kill chain, which refers to models that map the stages of attacks from initial system probing and network penetration to the final exfiltration of valuable data. Some people in our industry describe this process as "cyber threat intelligence."

The Strategy Behind Cyber Threat Intelligence
Such a strategy goes beyond signatures or details tied to a specific threat. It could also include context and information about attack methodologies, tools utilized to obscure an infiltration, methods that hide an attack within network traffic, and tactics that evade detection.

It is also important to understand the different kinds of data under threat, the malware in circulation, and, more importantly, how an attack communicates with its controller. These elements of foresight enable the disruption of an attack at any of the points mentioned above.

But threat intelligence is also about being qualitative, at least to the degree that it can be leveraged to respond to an attack, whether that means a forensic analysis for full recovery or the attribution and prosecution of the people responsible for the attack.

Sources of Cyber Threat Intelligence
Information sharing is a critical aspect of any security strategy. It's critical to compare the network or device you are trying to protect against a set of currently active threats; this allows you to assign the right resources and countermeasures against different attacks.

To leverage intelligence, start by accessing a variety of threat intelligence sources, some of which might include:

  • Actionable insights from manufacturers: These arrive as a part of regular security updates or, more accurately, as a signature with the ability to detect a known threat.
  • Intelligence from local systems and devices: When you establish a baseline for normal network behavior, it becomes easier to assess when something is out of whack. Spikes in data, an unauthorized device attempting contact with other devices, unknown applications rummaging the network, or data being stored or collected in an unlikely location are all forms of local intelligence. This can be used to identify an attack and even triangulate on compromised devices.
  • Intelligence from distributed systems and devices: As is the case with local intelligence, similar intelligence can be collected from other areas of the network. As they expand, networks provide and create new infiltration opportunities for attacks or threats. Also, different network environments — virtual or public cloud, for example  often run on separate, isolated networking and security tools. In those cases, centralized process for both the collection and correlation of these different intelligence threads become necessary.
  • Intelligence from threat feeds: Subscription to public or commercial threat feeds help organizations enhance their data collection, both from their own environment and those collected from a regional or global footprint in real time. It could boil down to two formats:
    • Raw feeds: Security devices simply cannot consume raw data, usually because it lacks context. This intelligence is utilized better post-processing from customized tools or local security teams. Such an effort converts the raw data into a more practical format. An added advantage with raw feeds is that they're much closer to real time and are often cheaper to subscribe to.
    • Custom feeds: Information processed with context is easily consumed by security tools; an example could be specific information delivered using tailored indicators of compromise. Vendors may customize the data for consumption by an identified set of security devices. At the same time, organizations also need to ensure that their existing tools support common protocols for reading and utilizing the data.
  • Intelligence between industry peers: Information sharing has become an advantageous norm for many. Several groups, such as ISACs (information sharing and analysis centers) or ISAOs (information sharing and analysis organizations), share threat intelligence within the same market sphere, geographic region, or vertical industry. They are especially useful for identifying threats or trends affecting your peers with the potential to impact your own organization.

Intelligence in the corporate ecosystem is important, but the opportunity to reduce the number of threats, potentially exposing everyone to less risk, is more valuable than the advantage received from holding on to this information. Sharing is an important aspect of any security strategy. Then again, so is access to actionable intelligence in real time.

Whatever the case, just remember that sharing your own threat intelligence serves to make everyone safer.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Sanjay Vidyadharan heads Marlabs' innovations team, which is responsible for next-gen digital technology services and digital security. Sanjay's team plays a key role in innovating new technology platforms and intellectual properties. Under his leadership, Marlabs has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AlitaBeauchesne
100%
0%
AlitaBeauchesne,
User Rank: Apprentice
7/26/2018 | 10:07:11 AM
very interesting
I found your article very interesting and useful .. Well explained .. Thank you for sharing this incredible information.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16349
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
CVE-2019-16350
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.
CVE-2019-16351
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.
CVE-2019-16352
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.
CVE-2016-10967
PUBLISHED: 2019-09-16
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.