The cyber-threats our organizations face are continuing to evolve, partly in respect to the broadening motivations behind attacks, and partly due to the increased sophistication of the attacks themselves. We have all seen the motivations behind cyber-attacks broaden over the last few years, with extortion, vandalism, ideological hacktivism, data-theft and financial fraud all regularly in the news.
On the technical side of things, toolkits and obfuscation techniques are readily and cheaply available within the cyber-criminal community. And of course we have state-associated threat-actors who have significant resources behind them to develop and utilize new tools and exploits.
Protecting our organizations from these threats requires, in most cases, that we leverage the visibility and expertise available outside of our organizations to gain intelligence on the threats we face. Threat intelligence is a bit of a buzzword in the security industry, and our equipment vendors, partners and other specialist security research teams all have their own feeds that we can consume; but what makes good threat intelligence data?
Firstly, let’s look at why we need good threat intelligence. Threat intelligence drives at least some of the detection capabilities in many of our preventative controls (for example, Intrusion Detection Systems) and without a regularly updated feed of intelligence the effectiveness of these solutions declines.
The fidelity of this threat intelligence is also very important. Minimizing false positives (and false negatives) and providing context around detected events can help us to maximize the effectiveness of our security resources – allowing them to focus their time on the highest risk or priority events.
Secondly, what makes good threat intelligence data – ideally we need the intelligence we are using to be valid, relevant and timely. Intelligence information is generated in many different ways ranging from malware analysis through to traffic monitoring, or customer deployment feedback from solution vendors, and all of these are valid.
For network-based indicators of compromise (IOCs) the information provided needs to be as granular as possible. At the very least we need IP, protocol and port number, but ideally we also need domain names and URLs, because the more granular the data we have the less chance of false positives or negatives.
How this intelligence is presented also makes a difference to its utility. An individual element of intelligence might be tied to a specific piece of malware, but what is even more useful is understanding how that malware might relate to on-going attack campaigns. This context can help our security operations teams determine whether an event should be moved to the top of the queue for investigation.
Having some concept of ‘confidence’ around the intelligence we use can also be useful here, because we can then tune our detection technologies to use higher or lower confidence intelligence based around currently perceived threats or sensitivities.
So, where does good threat intelligence come from? Well, ideally we should acquire it from multiple sources which have visibility and research capabilities that are relevant to our business. Organizations in the security space often have research teams that produce intelligence based on their analysis of what they see – and ‘what they see’ is important.
If an organization has a good level of visibility in a particular space, and that matches our needs, then the threat intelligence they produce will be extremely useful to us. And this is why regional and industry specific CERT teams can be good sources, as well as vendors and specialist security firms. Other organizations, such as the RedSky Alliance, exist to provide vetted user groups that facilitate the sharing of information between organizations, without the risks associated with public disclosure.
Threat intelligence is hugely important in the fight against today’s threats. Time is a currency that we have to spend wisely in most security organizations. We need to maximize the effectiveness of our security resources so that they can protect our businesses to their best ability. To do this we need to minimize false positives and we need to provide context around detected events to focus their time to our best advantage.