In recent years, we've seen a disturbing trend in computer network defense — attackers are innovating at a much faster pace than defenders can keep up with. We've seen malware evolve from primitive code used primarily by the advanced criminal element to commercialized services available to anyone with the financial means to purchase them. A variety of kits are available on the deep web and dark web for anyone looking to initiate an attack. Many attackers reuse tactics, techniques and procedures (TTP), adapting their code over time to keep ahead of both security analysts and the anti-virus and anti-malware industry. As the frequency of attacks continues to increase, so does the likelihood that an organization has seen the attack before.
The idea behind threat intelligence (TI) is to provide the ability to detect and act on indicators of attack (IoA) and indicators of compromise (IoC) in a timely manner. An ideal TI capability would recognize indicators of an attack in progress by analyzing security data pieced together with shared knowledge about an adversary’s TTP.
Organizations today are routinely collecting large volumes of internal security data. In addition, they are augmenting their analyses by purchasing commercial threat intelligence feeds and leveraging open-source threat intelligence software. However, despite these actions and intentions, most organizations still have challenges analyzing and using threat intelligence data.
Creating even greater urgency is the fact that IoA and IoC have a relatively short shelf life. The value of TI data to an organization decreases over time, so if organizations can't act quickly on an opportunity, they quickly lose the opportunity to act effectively. Many organizations are struggling to find value due to issues with dated intelligence, or with the data aging before they can translate it into a defensive action that stops an imminent attack. To evade detection, attackers will alter their TTP by changing command and control (C2) servers, IP addresses, and malware code base.
Most organizations do not have the ability to react to imminent threats quickly. Many times, their TI sources do not include intelligence on the attacker, their tactics, and infrastructure. This creates a scenario where they are unable to quickly prioritize and address the most significant threats. Determining the critical elements of your threat intelligence program can be a daunting task.
In order to successfully combat cyber threats, organizations need a threat intelligence approach that identifies accurate, timely and relevant threat data. The true holy grail for threat intelligence is automation. Removing human interaction from the process is a force multiplier in computer network defense. Adding a security analyst headcount is no longer an effective strategy in addressing cyberattacks that are increasing in frequency and complexity. Leveraging automation will allow an organization to reduce the mean time to detection, which, in turn, reduces the potential damage an adversary may cause.
In addition, organizations need to map their threat intelligence data collection strategy to critical components of the business (e.g., critical systems and infrastructure, intellectual property and sensitive data). Often the security team does not have a good understanding and/or context of the critical components of the business.
Operationalizing a TI strategy can be an overwhelming job for security teams that are often overworked and understaffed. When evaluating your organization's threat intelligence needs, consider the following:
While it may seem a fool's errand to attempt building a successful threat intelligence solution, the holy grail of technologies and capabilities needed is now becoming a reality — so companies need to get on board and begin defining their needs and path forward.