Operationalizing Comprehensive Cyber Threat Intelligence
Organizations in all sectors face increasingly sophisticated cyber threats on a weekly, if not daily, basis. Organized criminal groups seek personally identifiable information (PII) and financial account data; hacktivists disrupt day-to-day business; and advanced persistent threat (APT) groups gather intelligence and information to attack operations and customers.
As a result of this fast-paced and potentially devastating cyber threat landscape, organizations large and small are often behind the curve when it comes to shoring up their security infrastructures.
The global economy is in the midst of a cyber perfect storm. With individuals and enterprises alike generating and harboring massive amounts of data, as well as widespread digital transformations and the digitization of business services, risk continues to grow.
This white paper delves into the increase in the number of incidents and what security teams are doing to minimize their attack surfaces. Furthermore, we offer insight and guidance on how to best meet the ever-evolving cyber challenges plaguing global business today.
One of the most critical components to effectively defending against cyber adversaries is to adopt an advanced Cyber Threat Intelligence (CTI) program as part of a robust cybersecurity stack. What, exactly, is CTI? Read on to learn about the background, the different variations, and how to best operationalize CTI to achieve maximum protection against cyberattacks.
Threat Intelligence Evolution
Cyber Threat Intelligence (CTI) is the practice of proactively gathering information related to cyber threats that could potentially impact an organization or business. This intelligence is gathered both automatically and manually.
Automated solutions scan the clear, deep, and dark web to detect cybercriminal activity, while threat hunters use Human Intelligence (HUMINT) to engage directly with threat actors and learn about emerging threats.
CTI is a key pillar in any security stack. Combining and integrating tactical, operational, and strategic threat intelligence into your existing stack provides valuable insights into indicators of compromise (IOCs), threat actors, and methodologies while emphasizing a proactive security stance. A recent Ponemon Institute survey reveals that over 80 percent of organizations that suffered a potential security breach in the past 24 months believed CTI could have prevented or minimized the attack.
“It’s moving from more of a reactive security program to more of a proactive security program.”
-Kevin Qi, Senior Security Engineer, Blackstone
A fully operationalized CTI solution helps alleviate a number of cybersecurity pain points and challenges. In order to understand and stop threats more effectively and efficiently, organizations must work smarter, not harder. This directly translates to how their security programs revolve around CTI and how it integrates with existing security stacks, people, and processes.
Aligning Cyber Threat Intelligence Objectives
CTI has a definitive purpose – aggregating, analyzing, and enriching internal and external threat data to understand threats specific to your environment, informing decision-makers to drive immediate action. However, being able to derive value and properly operationalize CTI can sometimes be a challenge, as teams may not always be aligned and share mutual expectations and KPIs.
Furthermore, a lack of consistent terminology and communication across enterprise teams often leads to misunderstandings regarding CTI’s purpose and value. Once teams share common objectives, they can align operations and efforts to mutually support the business and:
Proactively manage and reduce risk
Build an effective cybersecurity practice
Drive bottom-line revenue
Inform regulatory compliance initiatives
Operationalizing Cyber Threat Intelligence
Threat Intelligence is everywhere. SOCs, security analysts, and incident responders are bombarded with millions of threat data points every day from multiple sources in numerous formats. These sources typically rely on external data feeds, including open-source intelligence (OSINT), machine intelligence, and social media intelligence (SOCMINT), as well as data from internal channels. Security practitioners constantly hunt to extend the breadth and depth of the information they review as they seek to find the proverbial needle in the haystack – organization-specific threats, for example. But all the data points within their ecosystems combine to generate a massive and unmanageable amount of logs, event data, and alerts.
Since our inception, IntSights has pursued a different approach to Cyber Threat Intelligence (CTI), leading the way with a deep understanding of how threat actors think, collaborate, and act. By operationalizing threat intelligence, your security teams are armed with actionable threat intelligence, enabling them to make informed decisions and respond faster by incorporating context, prioritization, and automation – all in a highly intuitive, simple-to-use solution including:
Less is More. There is no point in having thousands of data streams if one cannot properly apply them to existing people, process, and technology. From a people perspective, having more data points can be counterproductive if you are understaffed or lack the bandwidth to sift through all of the intelligence. The same applies to process and technology; generic non-specific feeds simply add noise, whereas receiving real-time, tailored, relevant feeds to the business and its industry is far more valuable.
Consolidation. Irrespective of your organization’s size, “single-pane-of-glass” visibility where information can be enriched and correlated in real-time is critical. Leveraging tailored investigation ready threat intelligence, organizations can query threats and other indicators to receive conclusive IOC determination, automated severity indications, and antivirus detection ratios – with a single query. This helps drive more effective use of existing solutions and allows organizations to proactively minimize costs and maintain or even increase bottom-line revenue.
“We had so much data to go through that we couldn’t operationalize that information. We had a lot of false-positive information, and we were spending lots of hours without netting any benefit from it.”
-Rick Rhodes, Enterprise Security Manager, Blue Cross Blue Shield of South Carolina
- Actionable. There are an array of point solutions that deliver continuously aggregated threat intelligence feeds – all allowing relevant personnel to detect and identify threats targeting your organization. However, without real-time, actionable, contextual reconnaissance about potential threats targeting an organization’s particular industry, operational assets, and processes, employees, and digital footprint, this data gets lost in translation.
If you want to generate tangible value for your business and your security team, look no further. With actionable insight and security automation to neutralize threats outside the wire, IntSights can help.
Sources and Coverage
Cyber threat intelligence is only as good as its sources. The key to success is identifying and monitoring quality sources that offer relevant and actionable data. Each organization has its own unique threat landscape comprising threats related to its industry, geographic reach, number of employees, revenue, partners or vendors, and the scope of the digital assets under its umbrella.
Each organization will have different threat intelligence sources that are relevant to its interests. Cybercriminal activity takes place in thousands of forums, black markets, instant messaging channels, and paste sites across the clear, deep, and dark web. Identifying the right sources is an imperative part of an effective cyber threat intelligence strategy, and threat validation is even more crucial.
Security practitioners using volume-based threat intelligence solutions often suffer from “alert fatigue” – they are simply overwhelmed by the sheer number of information sources and raw data they have to digest. On the surface, a greater quantity of sources may seem like a better way to cover all your bases. However, in practice, the quality of sources matters far more than the volume.
Leveraging a combination of machine learning and advanced AI, security teams can quickly determine threat status and consequently spend fewer hours sorting through irrelevant alerts.
This is why IntSights focuses on sources that have been proven to offer relevant and actionable threat intelligence.
The External Threat Protection Suite combines manual threat hunting efforts using Human Intelligence (HUMINT) with sophisticated technology using our proprietary language regarding source coverage. We break it into two components:
Hermetic Level: When we cover a source, we aim to get 100 percent coverage. We work tirelessly to make sure each post is covered and continuously monitored. For example, we proactively post messages in closed forums to find out if and when data was collected automatically. It is complicated to guarantee a high percentage of hermetic coverage for a single source, but if it is an important one, we deem it to be crucial.
Sources Stability: We check regularly if the sources are up and online, monitoring each source so we are immediately aware of any downtime. Whenever one of the sources fails and is unreachable, we retroactively collect the relevant data and fill any gaps. In this dynamic field of illegal forums and dark sites, our “stability” approach is the best way to make sure we supply the most relevant intelligence to our users.
Tracking thousands of sources is relatively simple, but monitoring the sources to guarantee a significant level of confidence in their relevance and accuracy is more complicated. By constantly monitoring all our sources, we are able to identify the best of the bunch and give them preferred treatment. This focus on quality, rather than quantity, allows us to provide highly contextualized intelligence to our users.
Applying Various Intelligence Types
IntSights Research Services helps you take deeper dives into external threat intelligence directly related to your organization. Research can be conducted encompassing multiple use cases, scenarios, industry sectors, and more.
Tactical Threat Intelligence
Tactical threat intelligence provides information about the tactics, techniques, and procedures (TTPs) used by threat actors to achieve their goals (e.g., to compromise networks, exfiltrate data, etc.). It is intended to help defenders understand how their organizations are likely to be attacked so they can determine whether appropriate detection and mitigation mechanisms exist or need to be implemented. Tactical threat intelligence is intended for a predominantly technical audience, and usually includes some technical context. Tactical threat intelligence is consumed by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff, although it does also play a role in higher-level security decision making.
Using Tactical Threat Intelligence
Tactical threat intelligence and IOCs are meant to document cyberattacks, serving as both evidence (for compliance, law enforcement, investigations, legal purposes, etc.) and also as reference material for analysts to interpret and extract context for use in proactive and ongoing defensive operations.
Operational Threat Intelligence
Operational intelligence is typically actionable information about specific incoming attacks. Such attacks may include an enterprise being compromised by a phishing attack, ransomware, malware, or stolen or leaked data. This kind of intelligence is most frequently used by forensic investigators and incident responders, and typically includes the following items:
Tools for particular threat groups (utilities, backdoor families, common infrastructure)
Tactics, Techniques, and Procedures (TTPs) for particular threat groups (staging directories, file naming conventions, ports, protocols, favorite file types)
Emerging TTPs (new persistence methods, exploits, phishing schemes)
“I see IntSights as both a strategic and technical tool. It allows us to deep dive into the information, the data that we’re seeing as far as evaluating the risk profile, evaluating what the threat is to the organization.”
-Zachary Hinkel, Global Cyber Threat Manager, Hogan Lovells
Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement, or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor’s behavior. Whatever your scenario, you need to answer the question “How do I search for this actor within my environment?”
Using Operational Threat Intelligence
Operational threat intelligence is knowledge gained from examining details of known attacks. An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts to drive operational intelligence. This can help achieve defensive goals, such as enhancing incident response plans and mitigation techniques for future attacks and incidents, as well as automating procedures.
Analysts can also implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that have bypassed traditional security technologies. From there, they can develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion.
Strategic Threat Intelligence
Strategic threat intelligence is a bird’s-eye view of an organization’s threat landscape. Not concerned with specific actors, indicators, or attacks, it aims to help high-level strategists and decision-makers understand the broader impact of business decisions.
Given that the audience is primarily C-suite and board level, strategic threat intelligence is almost exclusively nontechnical. Instead, it covers factors such as risk scores and the possible outcomes of a given action or decision, such as entering a foreign market or specific sector/industry.
Strategic threat intelligence might include information on the following topic areas:
Attribution for intrusions and data breaches
Actor group trends
Targeting trends for industry sectors and geographies
Mapping cyberattacks to geopolitical conflicts and events (e.g., COVID 19, Russia-Ukraine, US Elections, and many more)
Global statistics on breaches, malware, and information theft
Major attacker TTP changes over time
Using Strategic Threat Intelligence
Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical threat intelligence from known cyberattacks. This intelligence is particularly useful for those in leadership roles, such as CISOs and executives who must justify budgets and make better-informed investment decisions.
Use cases for strategic threat intelligence include:
Inform executive leadership about high-risk threat actors, relevant risk scenarios, and threat exposure in the public-facing technology sphere and criminal underground
Perform thorough risk analysis, malware analysis, and review of the entire technology supply chain
Threat Intelligence Platform by Roles
IntSights offers your teams the ability to collaborate via a single platform to quickly access relevant risks, prioritize threats, and accelerate time to detection and response.
IntSights for Chief Information Security Officers
CISOs are responsible for an organization’s digital transformation initiatives. This includes directing and approving the design of security systems, ensuring that disaster recovery and business continuity plans are in place and tested, reviewing and approving security policies, and planning cyber incident response. Essentially, they are required to continuously maintain an understanding of the real-time threat landscape for their industry while simultaneously mitigating the risk of an expanding attack surface.
Protection of brand integrity and data
Understanding of potential exposures and organization-specific risk-prioritized threats
CTI visibility and relevant metrics
Cybersecurity policies and procedures communicated to all employees and enforced compliance
Limited visibility of organization’s digital footprint and consequent exposure
Obtaining buy-in on the need for investing in a CTI system/solution
The IntSights Advantage
IntSights delivers real-time contextual visibility into organization-specific threats. This includes deep visibility across an organization’s digital footprint – including web, social channels, and mobile apps. IntSights provides intelligence on threat actors impersonating brands, hijacking digital assets, finding new vulnerabilities to exploit, stealing data or intellectual property, compromising executives, and more.
In addition, we seamlessly integrate this essential data into existing workflows, KPIs, and metrics to be able to not only quantify the risk but also act on it. Leveraging IntSights, security practitioners can also ensure that compliance and regulatory requirements are met across the organization.
IntSights for SOC Managers
Security Operations Centers are faced with a myriad of conflicting challenges, ranging from adequate staffing to the use of automation and how to continuously increase the fidelity of alerts. In today’s hyperconnected world, gathering intelligence manually could require thousands of SOC analysts constantly searching the internet every minute of every single day to “connect the dots” of a potential attack.
A centralized threat intelligence platform/dashboard/ visibility
Unified processes and workflows across key internal and external stakeholders
Access and analysis from tactical to strategic threat intelligence
Overload of non-contextualized, unprioritized alerts
Lack of integration with existing tools, processes, and workflows
No industry standards for threat intelligence best practices
The IntSights Advantage
IntSights delivers real-time contextual visibility into organization-specific threats. This includes a centralized dashboard across your digital footprint – including web, social, and mobile apps. In addition, users gain seamless integration with existing processes and workflows that help align internal and external stakeholders and decision-makers.
IntSights for Incident Responders (IR)
Digitization initiatives and the massively increasing size and scale of the internet continue to lower the bar for hackers to carry out successful attacks. Today’s incident response teams, no matter their size or maturity level, must sift through massive amounts of alerts and data to quickly identify and respond to threats targeting their company, brand, and customers – all without being led astray by false positives.
Automatic sync of security events, vulnerabilities, and attacks to aggregated data
Easy data prioritization for effective response
Automated tasks for accelerated response
Lack of visibility and context across different systems and domains within the organization
Manual collection and correlation of aggregated logs/ IOC samples to build a complete chain of attack
The IntSights Advantage
IntSights delivers real-time contextual visibility on organization-specific threats. This includes a centralized dashboard across your digital footprint– including web, social, and mobile apps. Automatically and continuously connect the dots of an IOC across the full cyber kill chain – and align all corresponding stakeholders. Full visibility with proper intelligence makes all the difference in stopping a threat early or preventing it from ever occurring.
IntSights for Threat Researchers
Threat researchers, much like detectives, continuously perform analysis to detect early signs and precursors of a potential attack – sometimes referred to as initial reconnaissance. Like some of their other counterparts,
Threat Researchers go through masses of sources and inputs, continuously monitoring, analyzing, assessing, and responding accordingly to mitigate threats.
Ability to pivot from one data point to another, uncover patterns, and gain a complete picture of adversaries’ TTPs
APIs for importing and exporting data directly to and from existing toolsets
Customization to match existing workflows and supported systems (via integrations)
No overarching API that integrates with power user and/or existing toolsets
Limited customization capabilities for streamlining new and existing workflows
The IntSights Advantage
IntSights delivers full customization of existing and new data and intelligence streams to specifically address required functions and operations. Bottom line: this saves valuable investigation and remediation time, and has a direct impact on the bottom line and overall ROI.
IntSights for Vulnerability Risk Prioritization Teams
Building and maintaining a sustainable cybersecurity program isn’t a one-time ordeal; effective cybersecurity programs require extensive planning, time, and dedicated, highly skilled resources – typically a scarce commodity.
Organizations looking to make the most effective use of already limited resources must proactively prioritize their efforts, specifically as they relate to vulnerability management.
Proactive assessment of external risks and prioritized patch management
Seamless integration with existing vulnerability management solutions
Real-time context for relevant stakeholders to ensure effective communication
Inaccurate asset-based vulnerability monitoring and tracking
Limited customization capabilities for streamlining existing workflows
The IntSights Advantage
IntSights delivers real-time contextual visibility into organization-specific threats. This includes out-of-the-box integrations with leading vulnerability management solutions. Secondly, we deliver real-time CVE external
intelligence from social media, paste sites, hacking forums, instant messaging, dark web, exploits, and many more – further enriching existing vulnerability management programs. We also continuously assess external risks posed from each CVE to enhance alerting confidence and increase resolution efficacy and effectiveness.
Automating Incident Response
The IntSights External Protection Suite, with the IntSights Threat Intelligence Platform (TIP) at its core, acts as the beating heart of any security program, delivering substantial benefits to multiple personas on your team as they detect, protect, remediate, and automate incident response activities. The Investigation API, a direct extension of the IntSights TIP, arms security practitioners with expanded threat intelligence visibility and rich context related to organization-specific IOCs like file hashes, malicious links, and other threat indicators.
Leveraging tailored investigation-ready threat intel, enterprises can query threats and other indicators to receive real-time conclusive IOC determination, automated severity indications, and antivirus detection ratios. To further enhance context, the API provides a wide variety of data enrichment sources, including DNS records, Whois data, and resolutions, based on IntSights highly curated proprietary feeds as well as those from other leading threat intelligence providers.
Augment existing data sets: Leveraging on-demand context, IntSights enriches organization-specific intelligence, including IOCs and other threat indicators, in real-time and at scale.
Automate and streamline investigative processes: The Investigation API provides real-time malicious threat indicator visibility into related malware, threat actors, and targeted campaigns.
Integrate with your existing solutions: Scale your efforts by leveraging internal security policies, practices, and tools to deliver immediate context and value.
Use Cases for Automated Incident Response
There are numerous ways security teams can make good use of automated incident response. While cyberattacks vary by type, scope, and attack vector, they are generally confined to a handful of key areas. Here is how automated incident response can help you mitigate some of the most common types of attacks:
Brand Protection / Phishing Attacks
Phishing is one of the most common types of cyberattacks, whether it be a spear-phishing attack that targets specific members of an organization with a malicious attachment, an employee who clicks on a phishing link, or a spoofed domain that draws traffic to an illegitimate site posing as an authentic site. In these cases, IntSights can investigate IP addresses, domains, email headers, attachments, or communication logs to verify whether or not a link is legitimate. IntSights uses a combination of clear web searches, OSINT tools, dark web searches, and proprietary tools to answer the following questions:
Who is behind the attack (threat actor attribution, if possible
Was it a targeted attack or was it sporadic?
What was the threat actor’s intention?
Do we have more IOCs on this attack?
What tools, tactics, and procedures (TTPs) does the threat actor use?
Ransomware attacks are one of the most troubling trends in the cyber threat landscape. Every day, new companies are breached and have their digital assets held hostage until they pay a ransom. Currently, the primary method to protect against ransomware is to mitigate vulnerabilities to prevent the attack and back up the data offsite for future restoration in the event of an attack . In the unfortunate event of a ransomware attack, IntSights tries to answer the following questions:
Can we identify the strain of ransomware?
Is there a decryptor available for this strain?
Does any stolen data appear on dark web forums?
How can we minimize further exposure via the initial access vector?
What intelligence can we extract from this breach to enrich IOCs and ensure future protection?
Data Breaches and Third-Party Breaches
Supply chain attacks and third-party breaches can be devastating to businesses that rely on outside services – which is to say, nearly all organizations. IntSights provides the following services to help users respond to third-party and data breaches:
Dark Web Search: In the case of a direct data breach, we can initiate a dark web search for any compromised data or data offered for sale to gain a fuller understanding of the extent of exposure.
Third-Party Breach: In the case where the breached party was a supplier or business partner, we can initiate a search for their leaked data, obtain it, and search for compromised data directly connected to your company.
Fraud and Scams
This is a very broad category, as fraud can present in multiple forms. While many investigations into fraud and scams are complex and may overlap with law enforcement work, IntSights offers investigation services that provide our users with intelligence using OSINT and passive techniques. Experienced IntSights analysts combined with proprietary collection and analysis capabilities allow teams to investigate the following types of fraud and scams:
Corporate executive/VIP impersonations
Money transaction scams
Fake job offerings
Social engineering attacks (by mail, phone, or SMS)
Account takeover attacks (ATO)
Automated incident response can potentially save organizations thousands, if not millions, of dollars in ransom payments, government penalties or fines, and loss of corporate intellectual property.
Integration, Mitigation, and Automated Takedown
As organizations adopt new digital channels to reach customers, cybercriminals follow suit by impersonating popular brands, promoting scam campaigns, and profiting from unknowing consumers. Organizations must extend their external monitoring and enforcement to take down campaigns that impersonate brand, infringe on trademarks, and threaten customers. Once relevant employees are made aware of the fact that your company is the subject of an attack, the race is on to proactively take down the threat as quickly as possible.
Over the years, we have witnessed numerous cases in which cybercriminals hosted malicious sites in underdeveloped or third-world countries in which law enforcement resources are limited or downright corrupt. Consequently, bad actors have incentivized hosting companies to not only promote their fraudulent sites and offer them as a service, but also to keep them active as long as possible.
The IntSights platform boasts built-in remediation and takedown capabilities to combat these techniques. With a click of a button, system users can initiate an automated takedown process to remove malicious content from the web with an industry-leading SLA and success rate. For example, the IntSights approach to removing phishing sites is distinguished from other providers of takedown services by its ability to immediately block access to sites leveraging a wide range of technologies.
Users can initiate an automated takedown process to remove malicious content from the web including:
Registered Fake Domains (Phishing)
The remediation process is initiated once the system user clicks a dedicated “Remediate” button within the platform:
Within minutes, an automated remediation request is sent.
The malicious item is continuously monitored to ensure its removal as a part of the intelligence cycle. In rare cases where additional remediation is required, IntSights can perform a follow-up process after 72 hours and another one after 7 days to completely eradicate the threat.
How It Works
IntSights identifies, contacts, and liaises with the company responsible for hosting the fraudulent content. It works directly with the website owner or registrar and provides the characteristics of the suspicious content.
For social media sites, for instance, the fake profile must clearly resemble the customer’s graphical content, logos, industry, etc.
For domains, evidence of malicious intent must be provided before it can be removed. In addition to the automated process, the IntSights Remediation Team monitors the process and intervenes as needed when there is not a direct confirmation of the takedown or when additional information is required.
Focus Is Key.
The ability to confidently respond to threats by leveraging comprehensive, highly contextual, actionable intelligence is key. The importance of relevance, when it comes to identifying and responding to threats, is a game-changer. The more confidence your systems bestow in relevant teams will directly correlate to how effectively you reduce the risk those threats present.
While focus is a key pillar in mitigating risk, making the best use of the highly skilled individuals that comprise your security teams is critical for mounting an effective defense. Integrating cyber threat intelligence in the overall cybersecurity program is proven to help security teams identify threats earlier and resolve incidents faster.
Whether you are just beginning your threat intelligence initiative or you are many years into your strategy, efficiently reducing risk is the ultimate goal. The IntSights Threat Intelligence Platform (TIP) drives security processes with intelligence, leveraging single-pane-of-glass visibility that allows organizations to centralize and operationalize various sources of intelligence:
Aggregate & Centralize: Automate aggregation and organization of all sources of threat data into a single easy-to-use dashboard. Single-pane-of-glass visibility and real-time context enable practitioners to intuitively connect the dots to easily understand and prioritize investigation and remediation efforts.
Enrich & Visualize: Streamline operations by turning raw indicators into actionable, highly enriched intelligence.
Correlate new IOCs with your unique digital assets to better understand the potential impact and drive immediate actions.
Analyze & Investigate: Operationalize threat intelligence to quickly visualize and analyze how new campaigns connect with known malicious assets. Conduct deep threat investigations and gain needed context with the interactive Investigation module.
Integrate & Block: Directly manage IOCs and other threats within the TIP Platform and automatically integrate with existing security systems and devices to proactively monitor and block threats. Ingest and share a wide range of intelligence sources using STIX and TAXII standards, and push threat data to your internal security devices, streamlining the process of updating critical blocklists.
Organizations can source TIP solutions from several vendors. The power of the IntSights TIP is in its pairing with the complementary solutions in the IntSights External Threat Protection Suite. With IntSights, organizations can save time and drive remediations with greater efficiency. Because we correlate new IOCs with your unique digital assets to better understand the potential impact of a threat and use it to drive immediate response, IntSights is the all-in-one solution for your unique organization