The Importance Of Cyber Intelligence In A Firm’s Operations
In the initial stages of creating a threat cyber-intelligence capability, it is vital to develop an understanding of the services, providers, tools and platforms that are currently available on a day-to-day basis. Unfortunately, as interest in this area of security has increased, the term “threat cyber-intelligence” has been adopted and applied in many places where it may not be applied in a correct way. In particular, the terms “data”, “information” and “intelligence” may often used interchangeably.
Intelligence tells a story that can be used to inform decision making. Fundamentally, intelligence never answers a simple question, but paints an image that can be used to help people answer much more complicated questions. Information on buying trends could be used in combination with behavioral psychology research to help shoppers find the items they want. This intelligence does not directly answer the question of how to make people buy more, but it helps in a process of business decision making.
In many cases, accessing data from threat feeds is considered the “on” switch for a threat intelligence capability. Because these tools are often open source and dealing with technical indicators, they are often touted as a good starting point for developing a strategy. Threat cyber-intelligence is a relatively new area of information security, and those who have the necessary services and technology should be interested in making sure that organizations understand the benefits they will see with this type of capability. But as with any emerging technology, exaggeration from time to time exceeds reality, we must make a good management of expectations.
Since there is an exponentially greater amount of data than ever before, there are also many more opportunities to gain intelligence from it. But, with so many sources and so many data, this is difficult to do manually. Many times, the term “threat cyber-intelligence” is used to describe the sources of all this data, but in reality they are simply data sources that must be processed before they can be considered intelligence.
Sources of Intelligence
Undoubtedly, there is a lot of potentially useful data on social media channels, but it is difficult to determine false positives and misinformation. In general, we will find many references to the same threats and tactics, which can be a heavy burden for security analysts.
DarkWeb (part of the Internet not reachable by search engines)
It is often the source of very specific information about tactical and technical threats, but it is incredibly difficult to access, especially for higher-level criminal communities. Also, since many of these communities do not speak English, the language is often a challenge.
Technical data (for example, lists of threats, spam, malware, malicious infrastructure)
This type of data is available in large quantities, often free of charge. Due to its binary nature, it is easy to integrate it with the existing security technologies, although a great amount of additional analysis will be needed to obtain a real context. These sources present a high probability of false positives, and the results are frequently outdated.
Data provided by public media
These sources often provide useful indicators of new and emerging threats, but it will be difficult to connect them with relevant technical indicators to measure the genuine risk of each of them on its own.
Because these channels are specifically designed to host relevant discussions, they are a potentially valuable source of information about threats. That said, time should be spent collecting and analyzing to identify what is truly valuable about them.
Many times, organizations adopt a volumetric approach to security, particularly when it comes to addressing vulnerabilities. And, of course, without the cyber-intelligence of threats to inform about the strategy, it only makes sense to prioritize the vulnerabilities according to the number of susceptible systems. But with a robust threat intelligence program that provides vulnerability analysis from a wide variety of available sources, firms can take a much more strategic and risk-based approach. Instead of painting by numbers, Organizations can consult a range of sources and receive alerts about specific indicators that increase the risk of a CVE being exploited.
Seventy five percent of the vulnerabilities reported since the beginning of 2016 appear on websites and social networks an average of seven days before the primary information channels. And as references to disclosed vulnerabilities increase, so does the likelihood of exploitation. The nature of the sources also becomes a factor in these terms. A thread in the references in criminal forums or dark web communities will also contribute to a higher risk score, as the threatening actors begin to discuss and share methods to exploit. The risk will increase once again when the indicators show that the vulnerability is part of an Exploit kit.
Clearly, having this kind of intelligence makes the task of prioritizing vulnerabilities much simpler and more powerful. After all, no matter how few of the assets may be affected, if an exploit is being actively discussed in dark web forums, with a powerful threat cyber-intelligence capability, this level of content can be collected, analyzed and constantly used to inform a risk-based information security strategy. Being able to identify the most important threats for an organization at any time and allocate the necessary resources accordingly.
How to counter possible troubles? It can be address in two ways:
- Define the goals, and strictly stick with it
The clearer you are, the areas that believe that cyber-intelligence will change the security profile, the more likely we are to succeed. Do not be afraid to be very specific from the beginning to ensure that you maximize value in just a few key areas.
- Do not look for a provider, find a partner.
To develop the intelligence capacity, repurpose a new goal to reach the initially established objectives. A threat cyber-intelligence provider who invests in the success of their jobs and works with the firms, to discover new potential use cases is much more valuable than a provider who simply sees your organization as another paycheck.