What does threat mitigation mean in practice?
Cyber threats have reached epidemic proportions. In the UK for example, nearly half (43%) of all businesses polled by the government in 2018 said they’d suffered a security breach or attack in the previous 12 months — and the real figure could be much higher. One vendor said it blocked over 20.4 billion threats online in the first half of the year alone, and these are the attacks that are detected. Many still fly under the radar to deliver ransomware, data-stealing payloads and more.
In the face of these challenges, CISOs need effective threat intelligence to help them better manage cyber risk. It offers a valuable opportunity to maximize limited resources, enhance decision-making and, most importantly, wrest the initiative back from the attackers.
Threat intelligence is not just about stopping attacks in their tracks. In reality, there are steps you can take before, during and after an attack to mitigate the impact of future threats. Some are more tactical maneuvers, while others can be viewed from a more operational or strategic angle. All will help.
Forewarned is forearmed
Effective threat intelligence offers stretched security teams a crucial helping hand: enabling them to better prepare for what might be coming their way. In cybersecurity as in battle, forewarned is forearmed, and TI provides that early warning. It enables teams to prioritize activities which they believe will be needed to counter the most likely threats, and protect those assets they think are most in danger of being compromised.
How does this work in practice? By integrating technical indicators like file hashes, malicious domains, email subjects, links and attachments, and DLLs into threat feeds. When these are fed directly into other parts of the security infrastructure like firewalls, SIEMs and intrusion prevention and detection systems, organizations can block bad IPs, URLs and the like. Effectively, this means you’re automatically defending against threats before they’ve even been launched.
The better the TI tool, the more contextualized the intelligence you will receive. You may be able to gather intel on specific malware families and exploits targeting other organizations in your sector, for example. This will allow you to take action ahead of time, patching any relevant vulnerabilities, tweaking firewall rules and/or taking other proactive steps to stay safe.
During an attack
If the worst happens and you’re staring down the barrel of an attack in progress, threat intelligence also comes into its own. The key advantage is in speeding your response. Feed that TI into SIEMs and endpoint solutions and you’ve just accelerated your incident detection. Many organizations struggle with this, because even if they’re running TI MRTI systems, they may be bombarded with too many alerts which can severely slow down stretched Security Operations Center (SOC) and IT teams.
Once again, the key is context. A good MRTI feed of IP addresses or domain names, for example, can be converted into actionable threat intelligence for teams to prioritize response and streamline operations when it is processed by a platform, or by a vendor-specific tool like Threat Compass. You can also use TI to get even more proactive. Threat hunting leverages operational intelligence to look for hidden clues that a security incident may be taking place. Crucially, it provides deeper insight into the motivations of the attacker, allowing teams to discard anything irrelevant and maximize their time and effort.
After the event
This is where we come full circle back to the beginning. There’s plenty that effective TI can do for security teams to help boost forensics and investigations after an attack so they can improve resilience going forward. TI can help at the start of investigations by enabling teams to gain a deeper understanding of who was doing the attacking, and what tools, techniques and procedures (TTPs) they used. This will help efforts to protect key assets in the future. It can also uncover new intelligence which may have been missed the first time round. A single malicious IP address may subsequently be connected to a wider campaign with additional IOCs you can feed into TI systems to improve resilience, for example.
Attackers never stand still: they’re always trying out new techniques and tools, so your response must also continually evolve. By incorporating intelligence into your ongoing security efforts you can develop a strategy of continuous improvement.
Finally, TI can improve red-team efforts to stress test your security protocols. You want these teams to act independently, to find the holes in your defenses before the bad guys do. So, arming them with intelligence on previous successful attacks will help them craft their attacks, ultimately improving the organization’s security posture as a whole.
Actionable and fresh
As always, it’s important to remember that your ability to extract value from TI will depend heavily on four key aspects. The data must be as fresh as possible: the threat landscape moves simply too fast for old data to be useful to your security teams. It must be actionable, as mentioned above, by being contextualized. It must be distilled from as broad a range of reliable sources as possible, both human and machine-generated, internal and external. And it must be targeted and relevant, so you can identify and prioritize incidents as accurately as possible based on the level of criticality.
Once you’ve ticked all of these boxes, you can start to use TI to become more proactive in managing risk and supporting business growth. For more detail on definitions, check out our Threat Intelligence blog here.
If you’re interested in how it can be applied to your organization, we’ve prepared a handy Buyer’s Guide to Threat Intelligence, to help you make the right decisions.