How to Transform Your Cybersecurity Strategy with External Intelligence
June 12th, 2019
It’s no secret that organizations around the world are facing increasingly frequent and complex cyberattacks. These attacks take on many different forms, and target organizations in very different ways depending on their size, industry, location, IT infrastructure and the data they hold. Cybercriminals perform advanced reconnaissance on their targets before launching attacks, searching for weak points, understanding defenses in place, and coordinating with other threat actors who may have helpful tools.
As cyberattacks and breaches become more frequent, organizations must change their approach to cybersecurity. Just like hackers perform reconnaissance on their targets, companies should be conducting their own reconnaissance on their adversaries to collect external intelligence, understand threat actor intentions, and neutralize emerging attacks before they’re launched.
What is External Threat Intelligence?
So we’re all on the same page, let’s take a minute to define external threat intelligence. Intelligence can mean many different things, but in the context of corporate cybersecurity, this is the definition I like to use:
External Threat Intelligence - Actionable awareness of emerging or existing cyber threats that impact your organization obtained via continuous monitoring of external activity
Let’s unpack this a bit, as there are a few words that are important to this definition:
- Actionable Awareness: Intelligence is only useful if you can take action on it. Therefore, it should help you both anticipate and mitigate cyberattacks.
- Impact to your organization: There’s tons of threat data out there, but if it’s not relevant to you, it won’t do you much good. Intelligence should be specific to your unique organization.
- External activity: Intelligence can be gathered from many sources, but external intelligence is collected from activity on the clear, deep, and dark web, giving you visibility beyond your perimeter.
The ultimate goal of external threat intelligence is to help you neutralize cyberattacks outside of your perimeter before they cause harm to your company, employees, brands or customers.
Supporting Existing Security Initiatives
I said this earlier, but it’s important to reiterate: intelligence is only useful if you can take action on it. This is why it’s so important to know how your organization is impacted by a threat and have the ability to take quick action.
One of the biggest mistakes organizations make with their intelligence is that they don’t map how it will support key initiatives. Take phishing for example. Every organization is trying to defend against phishing attacks, so they’ve likely put some combination of firewall, endpoint, mail gateway and user training in place. External threat intelligence can be used to identify potential phishing attacks, but how does it work with what you already have in place?
Companies must map this process so that they know what needs to happen in different scenarios. Once a suspicious domain is identified, should it be pushed to a firewall to block? Should it be monitored for any changes or weaponization? Can you prove malicious intent and does a takedown request need to be submitted? These are all questions you should consider and implement appropriate response processes.
External threat intelligence can support lots of different security initiatives, and mapping out the mitigation process is key to gaining value from your intelligence program.
Automating the Process
Time is of the essence when it comes to protecting your organization from cyberattacks. That’s why automation is key to effective defense. As soon as a threat is discovered, you should know what steps are needed to mitigate its risk. Automating the mitigation process will help you close gaps and dismantle threats as fast as possible, while reducing the burden on your team.
Integration is key in making this all work. For example, integrating with your Active Directory can significantly streamline the process of locking down leaked credentials. First, you can automatically validate if new credentials discovered onlined are active (why waste time trying to reset passwords for disabled accounts). Second, you can automatically trigger appropriate reset or lockdown procedures if the credentials are found to be valid and active. This entire process can be automated so that your incident response team isn’t left manually sifting through batches of leaked credentials looking for active employee accounts.
Automation and integration is key to extend intelligence throughout your existing security stack and operations.
External Threat Protection with IntSights
The earlier you can identify threats, the better chance you have of stopping an attack, which is why external intelligence has become so critical to security operations.
IntSights is the only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our solution suite can help you extend your visibility into the deepest and darkest corners of the web, identify emerging cyber threats early, and automate the mitigation process.
Request a demo today to see how our platform can help you neutralize cyberattacks at the source.
Nick Hayes is Vice President of Strategy at IntSights, where he oversees the company’s go-to-market (GTM), strategic initiatives, and corporate positioning and messaging. He also leads the technical and strategic alliance partner program, and represents IntSights and its threat intelligence product suite as a frequent speaker at major industry events worldwide. Prior to joining IntSights, Nick was a senior analyst at Forrester Research where he advised Fortune 500 and growth companies on cybersecurity strategy, technology selection, and market trends and best practices. He is regularly cited by industry and business media, including CNBC, DarkReading, Financial Times, SC Magazine, The Wall Street Journal, and VentureBeat.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.