19 Jun 2017

Hurricanes, earthquakes and cyber threat intelligence

To guard against the threats posed by cyber attack, organisations need to be smart about their intelligence gathering and analysis, as defence features writer Mark Lane discovers talking to ThreatQuotient’s Steve Rivers.

Would you rather be hit by a hurricane or an earthquake?

Neither sounds appealing, but welcome to the world of cyber threats.

For these, according to Steve Rivers, a threat intelligence engineer at ThreatQuotient, are the two categories of cyber threats that organisations face.

Hurricanes in the cyber world, much like those in the natural world, are those attacks you can see coming, while earthquakes are those you can’t.

He warns that both are inevitable, and, in the face of that, organisations need to plan and take action accordingly.

This, he believes, should start with an understanding of what threat intelligence is and how to make that intelligence relevant and actionable.

He says: “The key is being prepared for both the foreseeable attacks as well as the ones that sneak up on you. This is where threat intelligence comes in, helping your organisation transition from constantly just reacting to threats to becoming more proactive in its approach. Threat intel allows you to prepare for the hurricanes and respond to the earthquakes with an efficient, integrated approach.”  

He argues that most organisations think about threat intelligence in terms of multiple data feeds to which they subscribe – commercial sources, open source and additional feeds from security vendors – each in a different format and most without any context to allow for prioritisation. This global threat data does give some insight into activities happening outside of the enterprise; not only the attacks themselves, but also how attackers are operating and infiltrating networks.

However, as a consequence of this multiplicity of undifferentiated sources, most organisations suffer from data overload.

Rivers explains: “Without the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysts and action, this threat data becomes noise. You have alerts around attacks that aren’t contextualised, relevant or a priority. To make more effective use of this data, it must be aggregated in one manageable location and translated into a uniform format so that you can automatically get rid of the noise and focus on what’s important.”

He believes that, in order to defend itself, an organisation should concentrate on threats; once global threat data is organised, it can focus on the hurricanes and earthquakes that potentially make up those threats.

He says: “Hurricanes are the threats which you know about, can prepare for, protect against and anticipate based on past trends. For example, based on research, say that we know a file is malware. This intelligence should be operationalised, turned into a policy, rule or signature and sent to the appropriate sensor so that it can prevent bad actors from stealing valuable data, creating a disruption or causing damage. As security operations become more mature, you can start to receive alerts on these known threats in addition to automatically blocking them so that you can learn more about the adversary. This allows you to focus on the attacks that really matter.”

Earthquakes are the unknown threats or threats that an organisation may not have adequate countermeasures against or which have bypassed existing defences. Once they have gained entry to the network, then the challenge is to detect, respond and recover.

“This hinges on the ability to turn global threat data into threat intelligence by enriching that data with internal threat and event data and allowing analysts to collaborate for better decision-making,” says Rivers.

“Threat intelligence helps you better scope the campaign once the threat is detected, learn more about the adversary and understand affected systems and how to best remediate. By correlating events and associated indicators from inside your environment – for example, SIEM alerts or case management records – with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, when, where, why and how of an attack.”

He argues that, by going a step further and applying context to its business processes and assets, an organisation will be better able to assess relevance.

“Is anything the organisation cares about at risk? If the answer is no, then what you suspected to be a threat is low priority. If the answer is yes, then it’s a threat. Either way, you have the intelligence you need to quickly take action.”

Rivers emphasises the importance of making intelligence actionable, highlighting three attributes that help to define actionable:

  • Accuracy – is the intelligence reliable and detailed?
  • Relevance –does the intelligence apply to your business or industry?
  • Timeliness – is the intelligence being received in time to do something about any threat which it might indicate?

“An old industry joke is that you can only have two of the three, so you need to determine what’s most important to your business,” says Rivers. “If you need intelligence as fast as possible to deploy to your sensors, then accuracy may suffer and you might expect some false positives. If the intelligence is accurate and timely, then you may not have been able to conduct thorough analysis to determine if the intelligence is relevant to your business. This could result in expending resources on something that doesn’t present a lot of risk.”

Ultimately, the goal is to make threat intelligence actionable. However, what is actionable is defined by the user. The security operations centre typically looks for IP addresses, domain names and other indicators of compromise – anything that will help to detect and contain a threat and prevent it in the future.

For the network team, this means hardening defences with information on vulnerabilities, signatures and rules to update firewalls, as well as patch and vulnerability management systems.

The incident response team needs intelligence about the adversary and the campaigns involved so they can investigate and remediate. The executive team and board need intelligence about threats in business terms – the financial and operational impact – in order to increase revenue and protect shareholders and the company as a whole.

“Analysts must work together and across the organisation to provide the right intelligence in the right format and with the right frequency so that it can be used by multiple teams,” says Rivers.

He notes that while operationalising threat intelligence will take time and requires thorough planning, many organisations are already beginning to move from a reactive posture to one which is more proactive.

“But,” he adds, “in order to make time to look out at the horizon and see and prepare for hurricanes while also dealing with earthquakes, organisations need to move to an anticipatory model with contextual intelligence, relevance and visibility into trends in the threat landscape.”



If you would like to join our community and read more articles like this then please click here

The post Hurricanes, earthquakes and cyber threat intelligence appeared first on Defence Online.