IT Focus Area: Security
May 3, 2016
6 Steps for Operationalizing Threat Intelligence
Good intelligence wins wars. Military leaders throughout history have sought knowledge of their enemies; in 207 B.C. — when information traveled no faster than a horse could ride — it was intelligence that led Rome to its critical victory over Carthage during the Punic Wars, ending a six-decade struggle for domination of the Mediterranean world.
Fast forward 2,000 years, and intelligence is more important than ever. Countries have spent decades and trillions of dollars building up military forces to protect their interests and deter attacks by land, sea, and air. But the biggest threat to security today comes not from ground forces or air power, but from cyberspace. Digital attacks are being used as an alternative to conventional force, and the most lethal soldiers in the world cannot defend against internet connections.
There are no rules of engagement in cyber warfare when it comes to corporate data. Enterprises in all industries are attractive targets, and most are not adequately prepared to defend themselves. According to PWC’s 2016 Global State of Information Security Survey, theft of hard intellectual property increased 56 percent in 2015.
The best form of defense against attacks and those who perpetrate them is to know about them. Collaborative defense has become critical not only to national security but also to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
According to the Ponemon Institute, the average organization receives 16,937 alerts a week through security controls. Only 19 percent are deemed reliable, and only 4 percent are investigated. This translates into thousands of hours spent investigating false negatives and/or false positives, and millions of dollars wasted on inaccurate intelligence.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical, and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Per Gartner by 2018, 60 percent of large enterprises globally will utilize commercial threat intelligence services to help inform their security strategies.*
Separating the Signal from the Noise
In a military or security context, intelligence is information that can inform decisions and facilitate strategic and tactical advantage. Threat intelligence is a component of intelligence that includes both information related to protecting an organization from threats, and the technologies, processes, and policies designed to effectively gather and analyze that information.
There has been a lot of hype and semantic argument around cyber threat intelligence, and it’s a confusing space. It is important to note that threat data is not the same as threat intelligence. Simply dumping raw information into organizations that are already drowning in data can exacerbate the staffing and false positive issues that security teams are facing today. The difference between threat intelligence and threat data is that intelligence incorporates the context that makes the information relevant to an organization or industry. For example: threat data could include a list of recently created domain names that are hosting malware or being used in a phishing campaign.
Threat intelligence, in this case, would be a list of the devices on your network that have since accessed one of those domain names.
Threat intelligence takes many forms. It can include internal intelligence about your organization’s own assets, behavior, and network traffic, commercial intelligence from a vast network of security and technology partners, closed-source community intelligence shared by various industry and vertical groups (e.g. FS-ISAC, R-CISC and ISC-ISAC), and open-source intelligence from publicly available sources such as websites, blogs, social media, and news feeds (see the “Intelligence Sources” graphic below).
Acquiring intelligence isn’t the problem; in fact, it’s quite the opposite. Effectively identifying which data is accurate and relevant from numerous internal and external threat intelligence sources is what organizations are struggling with.
Many security executives have concerns about threat intelligence related to data quality and redundancy, shelf life, public/private data sharing, and delivery standards. However, if processed and applied properly, it can be an invaluable tool.
Putting Intelligence to Work
Nearly half of respondents to Ponemon’s Second Annual Study on Exchanging Cyber Threat Intelligence say their organization had a material security breach that involved an attack that compromised networks or enterprise systems; 65 percent of them reported believing that threat intelligence could have prevented or minimized the consequences of the attack.
Effectively ingesting threat data can enable an organization to gain visibility into the tactics, techniques and procedures that cybercriminals are using in their attacks.
The key words to remember here are “effectively ingest.” The value of threat intelligence to your organization depends on your ability to derive useful data that helps you achieve your business goals. You can invest heavily in the best intelligence platforms and services, but if you’re not ready to integrate the intelligence into existing workflows, create new workflows aimed at critical thinking — not just alerting — and fuse the intelligence with new and existing technologies, the effort will be wasted.
6 Key Steps
Sorting through threat data and operationalizing threat intelligence can be overwhelming. Here are six steps to getting started:
1. Know your environment in and out. In order to be applied, threat intelligence needs to be supported by a solid understanding of your assets, and what’s going on in your network.
What are your most valuable information assets?
Where are they?
Who has access to them and why?
When are they being accessed?
Are the security controls in line with your risk tolerance?
Answering these questions can provide visibility into the critical pieces of your infrastructure, and the users most likely to be targeted by attackers. It will also provide insight into what normal activity looks like, which will better enable you to recognize abnormal patterns of behavior. It is important to think of your organization not only as an ultimate target, but as a stepping stone. Assess your partnerships and business relationships to identify which might provide access to your company’s information in the event of a breach, and vice versa. This in-depth evaluation requires collaboration between IT, security and the business.
2. Establish your business goals. What are your overall business drivers?
Attribution and prosecution?
And what are you looking to accomplish with threat intelligence? Common goals include:
Enhancing automated prevention by analyzing external intelligence and modifying internal controls to better prioritize efforts and address threats.
Shortening the lifecycle of detection and remediation.
Centralizing threat intelligence programs, standardizing processes, and informing staffing and technology decisions.
Automating security operations and remediation efforts to optimize the interaction between security and IT operations.
Augmenting malware detection systems so that when a malicious file is detected, threat intelligence can be used to compare internal threat data to in-the-wild information about attacks, IoCs and threat actors.
3. Assess your capabilities. Establishing an understanding of current capabilities is critical. Consider the following:
Do you have the technology needed to properly ingest XML/CSV/JSON, website content, manufacturer-provided indicators, community and/or industry reports?
Do you have the right staff to collect, vet, curate (tag, classify, annotate etc.) and analyze the information gathered in order to build the necessary context?
Do you have the visibility you need into threats and countermeasures within your environment, and the assets most likely to be targeted?
Do you have the processes in place that will enable you to transform the information into a consumable format and import it into detective and preventive security controls?
Services such as vulnerability assessments, architecture assessments, and compromise assessments will help to determine your existing capabilities, and what is currently going on in your environment. They should be leveraged as part of a continuous vulnerability management program as you move forward. This will help not only with threat intelligence efforts, but can prevent you from overlooking basic, often unnoticed security vulnerabilities such as poor patch management procedures, weak passwords, Web-based personal email services, and a lack of end-user education and sound security policies.
4. Research available products and services. There are a lot of threat intelligence services you can subscribe to in order to aggregate data and help to determine which information is actionable. Some are specific to industry verticals, specific to one manufacturer, open to third-party integration, and others offer automation tools. Each offers different levels of relevance and context, different numbers of indicators, and there are varying levels of effort involved in leveraging the information they provide.
5. Avoid drinking from the firehose. The analytic value of threat data varies; while details such as malicious IP addresses, domains, email attachment names and subject lines can be useful, they are often used only once, and are therefore not good indicators on their own. It’s important to consider the sources and indicators that are best suited to help protect your organization while allowing for actionable results. Knowing the difference between valuable threat data and “noise” will go a long way. Focus only on what applies to your business. A bank doesn’t need intelligence on the kind of attacks being perpetrated against energy companies, for instance.
It is also important to consider the security controls you have in place; a feed that provides file information (e.g. file names, hashes, etc.) will go unused if there is no security control to gather or detect that information.
6. Share and share alike. Sharing non-compromising information will help other organizations in your industry learn more about specific threats. President Obama introduced a new Cyber Threat Intelligence Integration Center last year to provide a central repository for threat intelligence for the government and private industries and signed an Executive Order to promote sharing among private sector organizations. Additionally, emerging languages and standards such as STIX, TAXII, and CyBOX are facilitating the integration and automation of threat intelligence. They are free, open community-driven efforts supported by organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) that can make collaboration easier by allowing the information to be expressed in a standardized format.
The actual practice of exchanging threat intelligence is not as far along as the tools that enable it. Sharing is not yet a standardized process, and much of it is being done offline. Liability concerns and a lack of trust in sources of intelligence has hindered participation; the number of organizations sharing firsthand intelligence is somewhat modest, with the defense and financial services industries leading the way. However, organizations in other industries are starting to follow in their footsteps, building circles of trust with organizations in the same vertical that are not direct competitors. This facilitates the sharing of security principles, threats and mitigation advice. It also enables specific industries to benefit from information about previous attacks and gain insight into who is targeting them and the tactics being used. Exchanging information about past attacks and which vulnerabilities are being exploited can help organizations patch accordingly, and advance their overall defenses.
More than a Buzzword
Dwight D. Eisenhower once said, “In war, nothing is more important…than the facts concerning the strength, dispositions and intentions of [the] opponent, and the proper interpretation of those facts.” While threat intelligence has been used to great effect throughout military history, it has risen from an unknown IT security discipline to the status of cyber-buzzword just in the last few years. Some experts remain skeptical of its value, and improper use can promote a false sense of awareness. But the fact is that in today’s threat landscape, without a threat intelligence-focused strategy, we’re blind. We can no longer deploy the same predictable patterns of network security and static defenses that our cyber adversaries are well-attuned to. The bad guys are getting faster and faster, and intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making. Properly operationalized, it’s a powerful tool for enhancing the security of your data, your employees, your network and your enterprise.
*Gartner, Smarter with Gartner, Use Threat Intelligence Services for an Agile Defense, June 10, 2015, http://www.gartner.com/smarterwithgartner/use-threat-intelligence-services-for-an-agile-defense/