Cyberattack news is overwhelming. Cybersecurity Ventures predicts that to defend themselves against threats, organizations will spend $1 trillion on security between 2017 and 2021. IT-Harvest has identified several thousand cybersecurity vendors. Analyst groups produce reports about security solutions and strategies by the thousands.
The enormous volume of data available about cybersecurity and the tremendous number of vendors competing for a share of the market has created information overload. This is causing organizations to struggle with making smart decisions about how to protect their most valuable data, systems and personnel.
Leaders who want to help their organizations reduce cyber risk don’t need to know everything about cybersecurity. They must understand that effective strategies require a combination of the right talent, technologies, services and information. Even in this era of automation, machine learning and AI, each of these layers remains critically important.
There is not enough space in a single article to dive into each security aspect mentioned. So I’ll use this space to focus only on the crucial “information” layer — more specifically, threat intelligence.
There are multiple definitions of what threat intelligence is. For this discussion, think of it as evidence-based knowledge about an existing or emerging threat that is vital to answering critical questions about security and risk that must be understood to enable rapid and effective responses to adversaries and incidents.
Questions, Answers, Actions
Security and risk are priorities. Organizations know they must invest in improving the former and reducing the latter to defend themselves against threats like ransomware and to prevent costly data breaches.
The increased attention and investment that security is receiving will have little impact if security and risk professionals can’t answer critical questions and take fast action — questions threat intelligence can help to explain and actions it enables.
Are we being attacked?
Anyone exposed to news and threat research knows that cyberattacks and data breaches are daily occurrences. Organizations don’t need to know about every incident. They do need to know when attackers are targeting their networks. A significant attack that breached the world’s largest data storage facility may be worthy of headlines. It doesn’t mean that the threat actors responsible are also attacking your business. Security and risk teams that can integrate threat intelligence into their security operations gain the ability to know when attacks are targeting their systems and data.
Who is attacking us?
Nation-state hackers and advanced persistent threats (APTs) tend to focus their espionage and surveillance campaigns against governments and supporting groups such as defense contractors. Conversely, threat actors who use ransomware frequently go after organizations that provide essential services to large populations such as hospitals and public agencies. Unsurprisingly, credit card thieves almost always go after large financial institutions and businesses that conduct significant amounts of online transactions.
Most security tools in use within modern organizations will defend against all types of adversaries. However, there is no default security setting that addresses them all. Useful threat intelligence reveals threat actors to security and risk teams, giving organizations the ability to know their attackers. Defenders who know their adversaries are able to build more effective defenses.
Have attacks been successful?
Attackers can dwell inside breached environments for extended periods. Some research shows that threat actors operate for an average of 101 days inside victim networks before being detected. By utilizing threat intelligence, organizations identify breaches much earlier and take swift action to isolate and remove them. The faster that an adversary can be detected and remediated, the less opportunity they have to cause harm.
How should we respond to an attack?
Threat intelligence reveals details about different vectors adversaries use to execute attacks. Organizations that want to take smart defensive actions need to have access to this essential knowledge.
For instance, if threat intelligence indicates that threat actors are running a phishing campaign, security professionals can act on that information to make appropriate changes to email security systems. If threat intelligence identifies cybercriminals luring employees to watering holes, blocking access to malicious URLs can eliminate that threat. If threat intelligence reveals attackers are spreading malware via code vulnerabilities, patching may be in order.
Effective Threat Intelligence
Technology underpins all successful threat intelligence programs. When building or expanding existing capabilities, here are some tips to keep in mind when evaluating products:
• Understand the difference between a threat feed and a threat intelligence platform (TIP). Feeds gather data from all layers of the web. TIPs ingest, enrich and contextualize data, turn it into actionable intelligence, and make it available to answer critical questions and inform smart decisions. Effective threat intelligence programs ingest multiple feeds and rely on TIPs to get themselves from chaos to clarity at the speed of your business.
• Threat intelligence technologies should provide integration into existing security infrastructures, enabling automated threat detection and blocking for security controls.
• Effective threat intelligence technologies should match external threats with those present in networks, highlighting those that may be going unnoticed due to lack of context and visibility. With the ability to detect adversaries that have penetrated environments, users can quickly remediate problems.
For centuries, militaries and governments have been utilizing threat intelligence in the physical world for defensive purposes. Threat intelligence gathering and utilization in the cyber landscape is still a relatively new practice, which may cause some organizations to balk at building a program. Fortunately, threat intelligence investments are demonstrating ROI in terms of cost savings and risk reduction.
Recent Accenture Security-funded research revealed that security intelligence and threat sharing provides enterprises with a savings of $2.26 million, on average. A Ponemon report sponsored by our company revealed that 85% of organizations found threat intelligence to be essential to forming a healthy security posture. These are encouraging studies that prove intelligence makes organizations smarter and safer.
Threat intelligence answers primary security questions, enables swift action and delivers measurable ROI. As the threats from cyberattacks, cybercrime and espionage continue to increase, organizations that invest in cyber intelligence will be positioned to defend their vital assets.