Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Threat Intelligence. Fool's Errand or Holy Grail?

DZone's Guide to

Threat Intelligence. Fool's Errand or Holy Grail?

Over the past few years, the idea of threat information sharing has been gaining traction. But will this actually help anything? Read on to find out.

· Performance Zone
Free Resource

Transform incident management with machine learning and analytics to help you maintain optimal performance and availability while keeping pace with the growing demands of digital business with this eBook, brought to you in partnership with BMC.

In recent years, we've seen a disturbing trend in computer network defense — attackers are innovating at a much faster pace than defenders can keep up with. We've seen malware evolve from primitive code used primarily by the advanced criminal element to commercialized services available to anyone with the financial means to purchase them. A variety of kits are available on the deep web and dark web for anyone looking to initiate an attack. Many attackers reuse tactics, techniques and procedures (TTP), adapting their code over time to keep ahead of both security analysts and the anti-virus and anti-malware industry. As the frequency of attacks continues to increase, so does the likelihood that an organization has seen the attack before.

The idea behind threat intelligence (TI) is to provide the ability to detect and act on indicators of attack (IoA) and indicators of compromise (IoC) in a timely manner. An ideal TI capability would recognize indicators of an attack in progress by analyzing security data pieced together with shared knowledge about an adversary’s TTP.

Fool's Errand

Organizations today are routinely collecting large volumes of internal security data. In addition, they are augmenting their analyses by purchasing commercial threat intelligence feeds and leveraging open-source threat intelligence software. However, despite these actions and intentions, most organizations still have challenges analyzing and using threat intelligence data.

Creating even greater urgency is the fact that IoA and IoC have a relatively short shelf life. The value of TI data to an organization decreases over time, so if organizations can't act quickly on an opportunity, they quickly lose the opportunity to act effectively. Many organizations are struggling to find value due to issues with dated intelligence, or with the data aging before they can translate it into a defensive action that stops an imminent attack. To evade detection, attackers will alter their TTP by changing command and control (C2) servers, IP addresses, and malware code base.

Most organizations do not have the ability to react to imminent threats quickly. Many times, their TI sources do not include intelligence on the attacker, their tactics, and infrastructure. This creates a scenario where they are unable to quickly prioritize and address the most significant threats. Determining the critical elements of your threat intelligence program can be a daunting task.

Holy Grail

In order to successfully combat cyber threats, organizations need a threat intelligence approach that identifies accurate, timely and relevant threat data. The true holy grail for threat intelligence is automation. Removing human interaction from the process is a force multiplier in computer network defense. Adding a security analyst headcount is no longer an effective strategy in addressing cyberattacks that are increasing in frequency and complexity. Leveraging automation will allow an organization to reduce the mean time to detection, which, in turn, reduces the potential damage an adversary may cause.

In addition, organizations need to map their threat intelligence data collection strategy to critical components of the business (e.g., critical systems and infrastructure, intellectual property and sensitive data). Often the security team does not have a good understanding and/or context of the critical components of the business.

Operationalizing a TI strategy can be an overwhelming job for security teams that are often overworked and understaffed. When evaluating your organization's threat intelligence needs, consider the following:

  • Define what threat intelligence means to your organization and the critical components of the business you want to protect.
  • Define how your organization will leverage threat intelligence for risk management and incident response.
  • Augment your threat intelligence analysis with commercial threat feeds that have specific context to your infrastructure, systems, vulnerabilities, geography, and industry vertical.
  • Create a threat intelligence platform that aggregates data from all available sources and allows for real-time security analysis.
  • While it may seem a fool's errand to attempt building a successful threat intelligence solution, the holy grail of technologies and capabilities needed is now becoming a reality — so companies need to get on board and begin defining their needs and path forward.

    Evolve your approach to Application Performance Monitoring by adopting five best practices that are outlined and explored in this e-book, brought to you in partnership with BMC.

    Topics:
    threats ,detection ,intelligence

    Published at DZone with permission of Adnan Khaleel, DZone MVB. See the original article here.

    Opinions expressed by DZone contributors are their own.

    THE DZONE NEWSLETTER

    Dev Resources & Solutions Straight to Your Inbox

    Thanks for subscribing!

    Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

    X

    {{ parent.title || parent.header.title}}

    {{ parent.tldr }}

    {{ parent.urlSource.name }}