Extended Threat Intelligence: A new approach to old school threat intelligence
The world is shaken by different new crises and cyber events every day. All sectors are affected by the events, either in terms of production, transportation, or security. The intensity and impact of cyber-attacks across all sectors keep rising daily. Traditional threat intelligence solutions are not enough. Therefore, new solutions such as Extended Threat Intelligence are needed.
In 2021, ransomware gangs alone made at least $590 million in profits, according to U.S. Treasury Department. As threat actors leverage more targeted tactics, techniques, and procedures (TTPs) to successfully exploit vulnerable systems, security teams are increasingly looking for laser-focused solutions that would alert them with early-warning signals of cyber threats.
However, isolated cybersecurity services like those involving one-dimensional technologies, are neither sufficient to detect ransomware threats beforehand nor are they effective for industries. In fact, Gartner says in a report published last month that the intersection of many use cases of cybersecurity is confusing for industry actors who do not know which service to prioritize against threats.
But there’s no need to be confused. There are some platforms that bring a new approach that integrates Cyber Threat Intelligence, Digital Risk Protection, and External Attack Surface Management capabilities to realign security thinking from that of a defender to that of an attacker. (The details of these technologies will be explained below.)This can put security teams in various sectors in a better position to detect blindspots before hackers exploit them.
In order to understand the nature of these services, first of all, it is necessary to describe the limits of traditional approaches in cyber security.
What are the limitations of traditional threat intelligence approaches?
Historically threat intelligence was promised to be the first destination to look for the unknowns, however reactive traditional cyber threat intelligence (CTI) programs are unlikely to fill the early warning gap. Limited focus on the dark web data collection and analysis, for example, is one of the drawbacks.
Despite the fact that dark web marketplaces have become a one-stop shop for threat actors who wanted to cash out, according to the 2021 SANS CTI Survey, only 38% of respondents consider the closed and dark web sources as part of their intelligence gathering.
This low level of interest might be a result of a common misconception which is the assumption that the relevant intelligence from deep and dark web sources would be included within public threat feeds and IOCs. This can be true for tactical intelligence but is very limited in terms of gathering company-specific operational and strategical intelligence.
Another contributing factor to this insufficient CTI strategy would be the wrong sense of security disseminated by cybersecurity vendors and technology providers. IOCs fed into the existing security stack have been heavily shown as an ultimate proactive way of preventing cyber threats.
Visibility is a crucial component of cyber defense. It’s essential to know what to protect. Lack of visibility and intelligence around external-facing critical vulnerabilities is another drawback of traditional CTI programs.
According to IBM X-Force Threat Intelligence Index, the share of scan-and-exploit vulnerabilities jumped to be the top infection vector (35%), surpassing phishing. Keeping an up-to-date asset inventory and running continuous scans from an external viewpoint can help vulnerability management teams spot and prioritize the patching of heavily exploited bugs on critical load balancer or VPN technologies such as Citrix, Palo Alto, or Microsoft Exchange.
How do we get to “extended”?: Completing the puzzle
Because of the ideal blend of prevention, response, and strategic perspectives, cybersecurity experts believe that the early warning mechanism should naturally be built around threat intelligence. The purpose of CTI programs is to help security teams fill a knowledge gap about the present and future threats.
Over the past decade, a number of solutions delivering the external threat visibility were also born such as Digital Risk Protection Services (DRPS) and External Attack Surface Management (EASM).
EASM technologies, on the other hand, approach security from the perspective of attackers. Understanding the constantly changing attack landscape through identifying forgotten or shadow assets can assist security teams to spot weaknesses and vulnerabilities early on.
DRPS solutions are generally the go-to solution for enterprises that need extended protection of critical digital assets as well as risks associated with third parties, brands, employees, and VIPs. Stakeholders of DRPS can extend to Fraud Prevention Teams, Executive Board, and other customer-facing departments.
DRPS and EASM technologies allow organizations to handle the monitoring of data sources of many varieties including social media, SSL certificates, domain registrations, vulnerability databases, breach datasets, deep web sources, code repositories, and many others. XTI technology, however, helps reach the full potential of this massive data by generating continuous and actionable intelligence. In fact, Gartner, in another report published in the last months, advocates the view that cyber security service providers should cooperate with DRPS or EASM.
One of the challenges of being a security leader is making the most informed decision to choose from a diverse pool of technologies to prevent data breaches. As the trend of consolidation in cybersecurity is accelerating, solutions that provide similar results but are listed under different market definitions make the job harder.
Meanwhile, security practitioners grapple with a multitude of technologies that generate alerts from various vendors, eventually causing loss of productivity and complexity. The importance of the integration of artificial intelligence with the cyber security sector should be underlined at this point.
A smart combination of AI-powered automation technology and a CTIA team can increase productivity while turning a large alert stream into a massive number of events. Built-in remediation support is also essential for disrupting or analyzing enemy infrastructure as needed.
How does XTI work? How different Extended Threat Intelligence solutions can help companies?
Extended Threat Intelligence can hit the ground and be operational in hours. No need for an excel list of assets or keywords for turning the key. XTI companies like SOCRadar, promise different modules to activate. For example, the first one is External Attack Surface Management (EASM). EASM runs a very detailed digital footprint (DFP) discovery and mapping process which we believe fundamental.
Also, Digital Risk Protection (DRPS) and Cyber Threat Intelligence (CTI) take to the stage of course. Again, to give an example by using auto-discovered digital assets including brand keywords, unified DRPS and CTI technology start collecting and analyzing data across the surface, deep, and dark web to be processed and analyzed in real-time.
The foremost benefit of XTI is that it provides a continuous hacker-view visibility into blind spots to make you proactive against cyber threats. DRPS, EASM, and CTI do not merely coexist within a single platform but it is the close interoperation of these three modules.
Other advantages of XTI are:
- Centralization of external threat intelligence
- Reduced acquisition costs
- Certified Threat Intelligence Analysts (CTIA) who act as an extension of your security team in terms of remediation and response
- Actionable and holistic threat prevention perspective beyond the perimeter
- Eliminated daunting DFIR and threat investigation processes
- Ease and speed of onboarding to defend your enterprise against threat actors and cyber criminals immediately
- Actionable and holistic threat prevention by integrating with your SIEM/SOAR platforms
- Shorten the time and effort of your threat hunting activity with built-in big data platform