Threat intelligence defined
December 2nd, 2016
Threat Intelligence is built on three pillars, which, when integrated, allow identification and remediation of security threats.
In the past three years, the most hyped up term in the cybersecurity field has been Threat Intelligence. This has lead to numerous vendors, multiples investments and even mergers and acquisitions. Threat Intelligence, however, is an extremely ambiguous term, meaning different things to different people: some think it refers only to technical data, some to tactical information, others think of concrete security implications.
Whilst Threat Intelligence has been defined, namely by Gartner analyst Rob McMillan and Forrester’s Rick Holland (who has now left Forrester to join a Threat Intelligence firm), these definitions are very broad and somewhat abstruse. They also fail to align with the service most vendors are offering. I champion the following three factors, a.k.a pillars, which need to work in unison in order to deliver the best service to the end user: data, Threat Intelligence (TIP) and research.
Threat Intelligence’s foundation is data (often referred to as “TI Feed”) - an ongoing stream of technical and tactical information related to potential or current threats to an organisation’s security. TI Feeds differ according to delivery method and consumption. They are typically classified by their utilisation: phishing, data leakage, exploitable data, general indicators of compromise (IOC), brand reputation or attack indication.
Some TI Feeds are incorporated into security systems (such as Firewalls), SIEM or Threat Intelligence Platforms (TIP), in order to automate security processes. Others are more contextual-based, and provide general and targeted alerts which must be understood and processed by intelligence analysts, then turned into security actions. Analytics are used to identify the main threats and direct the human analyst’s attention to them. In order to do so, various mechanisms such as Natural Language Processing, Machine Learning and Artificial Intelligence Algorithms are utilised. These enable the uncovering of trends and triggering of pre-configured, automated alerts.
- TIP - Threat Intelligence Platform:
Threat Intelligence Platforms (TIP) enable organisations to aggregate, correlate, and analyze threatdata from multiple sources in real-time, to support defensive actions. (http://www.darkreading.com/threat-intelligence-platforms-the-next-must-have-for-harried-security-operations-teams/d/d-id/1320671)
A TIP collects and aggregates multiple data formats from multiple sources, correlates the information, allows enrichment and contextualisation, supports data analysis and integrates to security systems (SIEM, Firewall) to facilitate security actions stemming from the intelligence.
TIP also facilitates the sharing of intelligence, in particular IOCs, and allows for collaborative investigation.
Complementing TIP, research platforms allow cyber intelligence analysts to conduct research on trends, threat actors, severity levels and the global distribution of threats. Such platforms assist in formulating a more complex view of the threat landscape, aiding strategic insights, such as estimating brand exposure, estimating risks in operating in certain territories and understanding hackers’ motives. Almost every vendor in this field falls into one of the above categories.
My main criticism is that vendors claiming to provide their clients with “Threat Intelligence” is misleading - no one pillar is sufficient alone to cover this vast field, and customers are left with the complicated task of evaluating and procuring independently to achieve a conceivable level of intelligence. Without integration, there can be no remediation.
Threat Intelligence is merely a means toward a more concrete goal - remediation. Regulations have led many organisations to use Threat Intelligence, who are content with receiving only one of the previously discussed Threat Intelligence Feeds. Or, who use a TIP, despite the fact that, alone, it offers little value if the information stays in the realm of “intelligence”, and is never communicated to, or acted upon by an actual security operation. The only positive result of such an approach is being more prepared and general awareness. This is not sufficient in today's fast moving threat landscape.
The main goal of Threat Intelligence integrated into security operation should be remediation. It is extremely difficult to achieve (and maintain), and requires a fully integrated solution, as described above, but we believe it’s the only goal worth pursuing.
At IntSights, we immediately identified the need for a remedying, integrative solution, and designed our platform to be just that - an adaptable, scalable system which integrates multiple data sources, fuses them and provides an analyst with a single dashboard for all cyber threat intelligence operations.
Used as a TIP, IntSights’ system allows our customer to consume technical and contextual intelligence, without the need for analysts, and connect it to an actual security systems, thus “closing the loop”, and achieving remediation in real time.
The following use case illustrates how our system can support the multi-faceted nature of Threat Intelligence operations:
Threat Intelligence Use Case:
Using our automated intelligence collection module/mechanism, our system identified a discussion on a darknet forum focusing on phishing, where cybercriminals were discussing phishing techniques and targets.
Correspondingly, a 3rd party TI feed integrated onto our platform delivered several phishing domains. The system identified a link between the domain and the darknet discussion and raised an alert. The analyst then pushed the domain details to the firewall to allow it to block this specific domain. In addition, the analyst started an investigation regarding the threat actor who perpetrated the attack, identified its attack patterns and discerned what additional preventative actions were required to mitigate attacks from this actor in the future.
This example (which is very similar to what our clients are experiencing on a daily basis) shows how only an integrated approach can successfully mitigate such attacks ,and allow the organisation to face cyber threats.
While is may be tempting (and even acceptable in terms of regulatory compliance) to operate only one pillar of threat intelligence, it is simply not sufficient, and does not deliver the full benefit of Threat Intelligence. To access the full benefits, all three levels of Threat Intelligence must be employed. Only then, can true remediation be achieved.
This post was written by Guy Nizan, IntSights CEO.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.