Review: Threat Forecasting
About the authors
John Pirc is Director of Security Solutions for Forsythe Technology and an advisor to HP’s CISO on Cyber Security.
David DeSanto is the Director, Products & Threat Research for Spirent Communications where he drives product strategy for all Application Security testing solutions.
Iain Davison is a Security Engineer at Exabeam.
Will Gragido is a Head of Digital Shadows Labs.
Inside Threat Forecasting
By now, it’s pretty much crystal clear to everyone in the infosec field that organizations need to focus on spotting and blocking unknown threats as much as those that are already known – if not more.
Threat forecasting with the help of Big Data is one way to improve an organization’s defenses but, as the writers of this book make perfectly clear, it will not predict and stop attacks 100% of the time. Still, you can achieve a considerable improvement in detecting and preventing attacks, and that could mean all the difference for the organization’s bottom line and reputation.
To quote the writers: “Threat forecasting allows you to apply real-world threat intelligence to the data collected within your organization to identify patterns or trends “in-the-wild” (i.e., currently active on the Internet) that may impact your organization.” This book is meant to show you how to do that.
If you are already convinced that threat forecasting is for you, but your organization works in the healthcare and financial industry sector or you’re murky on the finer points and the big picture of how threat forecasting is supposed to help, don’t skip the first two chapters.
Next, you have a chapter on security intelligence as the crucial component to threat forecasting. It details what type of information falls into the security intelligence box, how to collect it (DIY approach or partnering with or buying solutions from third parties), and how to make sure that the intelligence you use is high fidelity.
The authors then go on to explain the importance of being able to distinguish between intelligence and information, introduce knowledge elements (indicators of attack, of compromise, of interest), where they can be acquired and how they can be shared. Chapter 5 also details the community sharing part – through projects set up by companies or driven by communities, and existing frameworks (complete with examples) – as well as points out the advantages and disadvantages of sharing knowledge elements.
Data visualisation methods – important both for security practitioners and for the boardroom – get their own short chapter. The helpfulness of data simulations is explained in the next, as well as the need to choose/build a forecast model that will fit your particular enterprise. In Chapter 8 (“Kill Chain Modeling”), you’ll learn about the tools that can be implemented to assist with breach detection and data analysis: Maltego, Splunk, OpenGraphiti, etc.
Finally, in Chapter 9 the authors tie all these things together, and use real world examples to demonstrate how threat forecasting helped or could have helped (Anthem, Target, etc.) to prevent breaches.
Also, they outline how you can begin to apply threat forecasting techniques within your organization (they break down the process in three phases) – this chapter is all about effective implementation, and will point you back towards all the previous chapters. In fact, I would suggest you read the three-phase-plan at the end of the chapter first, to get an idea of what you’re in for, and then delve into the book.
The book ends with a compilation of thoughts and predictions each author has about the topic of threat forecasting.
If you’re looking for a book to give a solid overview of what threat forecasting can do for your organization, you don’t have to look further. It’s concise and coherent, provides great real-world examples, is short enough to read in one or two sittings, and provides good advice on getting colleagues and management to support the effort – in short, all you need to start the journey.