Reducing the risk of a costly and embarrassing breach has had a renewed focus within many organisations over the last year, given the constant stream of news in this area.. Threat intelligence is seen as something that can help, and it has become a key talking point for businesses, resulting in the term itself becoming heavily overloaded – in the same way that big data and cloud have done in the past.
Threat intelligence can now mean a variety of different things – from feeds of Indicators of Compromise (IOCs) that are used within preventative controls such as Intrusion Detection Systems (IDS) and Intrusion Prevention System (IPS) (to block the latest threats), to statistics and trends derived from feedback on detections from vendor equipment. All of these things are useful, but it is important to be cognizant of the fact that these different kinds of threat intelligence can help us in different ways.
Threat intelligence compromised of statistics and trends can help us to understand the threat landscape, how it is changing and what we should do to prepare – but – in and of itself this kind of intelligence won’t enhance our protection. Threat intelligence comprising purely of IOCs can be used to enhance and update the detection capabilities of our existing preventative controls; this can help more directly, especially if additional contextual information on the nature of detected threats is included in the feed.
From the businesses side of things though, what we really care about is reducing the risk of compromise, and detecting more threats doesn’t help us with that. Detecting more low-level threats can mean that we miss the one that matters.
In all cases the best threat intelligence is timely, relevant to our specific business or vertical and high-fidelity. Most threat intelligence data has a fairly short half-life and it is important that we can get the most up to date information into the hands of our security teams and solutions as quickly as possible. Different verticals in different geographies are often being targeted by different attackers using different methodologies – and it’s important we get information that is pertinent to ‘our’ business.
The fidelity of the information is also key, because generating large numbers of false positives can bury the ‘real’ incident under a pile of non-events. This is why choosing the right sources of threat intelligence is very important.
Most organisations tend to opt for the feeds of information that come from their security solution vendors but these vary in source, quality and content. However, we should also remember there are others who have information that could be very useful, for example, competitors within the same vertical or geography. These organisations will have information on the attacks they have seen that could be useful to us – and vice versa. Unfortunately though, sharing of information in most verticals is not common.
Recent research from the Ponemon Institute looking into how retail and financial organisations dealt with advanced threats showed that the average dwell time (the time a threat / attacker remains undetected within a network) for the finance vertical was roughly half that of retail. Interestingly, one of the key differences between the verticals in the steps taken to deal with threats – a 26 per cent difference in adoption – was in the sharing of threat intelligence information with others in the same vertical (or with government agencies).
The finance vertical is a good example of where sharing happens and is effective at helping in the fight against attackers. We should remember that attackers often co-operate and share information and tools. If we try to combat them on our own we are not maximising our chances of success – but if we share information our collective capability is much greater. This is why things like CiSP, part of CERT-UK, and organisations like Red Sky Alliance can be very important, as they can act as brokers of threat intelligence to ensure it is disseminated quickly and accurately.
By using threat intelligence in the right way we can reduce our risk of compromise, but the key here is that threat intelligence isn’t just something we should just consume, it’s something we should all contribute towards.