What Is Cyber Threat Intelligence and Why You Need It

“Threat intelligence” has received a lot of attention lately. Everybody in the security field heard of the term, even non-security employees have started talking about it. But still, few understand it.If your organization is looking to strengthen its security infrastructure and could benefit from threat intelligence programs, here is what you need to know.

Threat intelligence is the knowledge about an existing or emerging menace or hazard to assets that helps an association or an analyst identify security threats and make informed decisions. Threat intelligence can help solve several problems inside an information security team like staying up to date on the overwhelming amount of information on security threats, becoming more proactive about future security threats, highlighting the dangers and repercussions of threats to the C-suite.

For a security incident to occur there should be two conditions: vulnerability in the organization’s operations or supply chain like unsecure software or process or IT infrastructure and a threat that will exploit this vulnerability. Analyzed data and information are considered as intelligence when the result is directly attributable to business goals. CISOs and Information security teams do not control the time and occurrence of an incident; they can only be aware of the threats and be prepared to fight back or reduce their impact. 

The table below, originally posted on the hacker news, offers several common indicators of compromise that can be identified with threat intelligence feeds. Security companies integrate one or more of these indicators depending on their needs.

 

Category

Indicators of Compromise

Examples

Network

  • IP addresses
  • URLs
  • Domain names

Malware infections targeting internal hosts that are communicating with known bad actors

Email

  • Sender’s email address and email subject
  • Attachments
  • Links

Phishing attempts where internal hosts click on an unsuspecting email and “phone home” to a malicious command and control server

Host-Based

  • Filenames and file hashes (e.g. MD5)
  • Registry keys
  • Dynamic link libraries (DLLs)
  • Mutex names

External attacks from hosts that might be infected themselves or are already known for nefarious activity

How should an organization choose a threat intelligence program?

Opting for a threat intelligence program to just “secure the business”, is not a valid motive for threat intelligence, even if it’s the only driver for many organizations, it might use huge amounts of resources and investment into an intelligence program with no results. The objectives of a threat intelligence program should be clear, if it’s designed to reduce the operational risk of an organization, then it should focus on the aspects of security that can be clearly linked to cyber risk indicators and measures.

Beware, collecting data on the most recent high-profile attack in a totally different industry is NOT intelligent, it’s a waste of resources, but collecting intelligence relate to recent attacks on similar organizations within the same industry would be highly relevant and effective.

It is important to have a security program that provides threat intelligence capabilities to analyze this information and manage potential attacks by being both proactive and responsive. Nevertheless, most organizations manage to set up the systems needed to automate the identification, collection, and enrichment of threat data and information and secure operational intelligence. However they do not succeed in using this program for strategic intelligence, which focuses identifying and analyzing threats to an organization’s core assets, including employees, customers, infrastructure, applications, and vendors. Strategic Intelligence analysis needs highly skilled and trained human analysts concerned with addressing real business needs and strategic objectives.

Bottom line: In order to get an actionable and relevant threat intelligence program, you need to have a broad selection of feeds and sources that are analyzed, classified and published in a timely manner. Threat intelligence is the analysis of this huge amount of data by applying big data approaches backed with highly skilled analysts or more strategic analysis. 

Cyber Threat Intelligence Sharing will be discussed during the HIMAYA UAE forum taking place in Dubai on December 11th, 2017, organized by the UAE Banks Federation, in association with Al-Iktissad Wal-Aamal Co.