A Brief Overview of Threat Intelligence

In this volatile age of cybersecurity, the remaining constant has been the accelerating flood of crafty attack techniques that render organizations incapable of safeguarding the sensitive data in their care – be it attacks involving social engineering, malware, or any other advanced persistent threat. Threat intelligence, also referred to as cyber threat intelligence (CTI) is a sophisticated process that enables organizations to collect invaluable insights into contextual and situational risks that can be tied to the organization’s specific industrial processes, markets, and threat landscape.

The prime purpose of threat intelligence is to aid organizations in attaining a deeper understanding of the risks associated with recurrent and parlous external threats. Though threat actors may also include partner and internal (insider) threats, the emphasis should be on the types that will have the largest impact on the organization’s environment. The goal of threat intelligence is to gather indicators of compromise from varying sources, correlate them, and provide real-time analysis of security alerts so that it can be continuously monitored and examined by security analysts, who will be better equipped to take the right remediation steps.

Threat intelligence plays a key role in today’s cybersecurity landscape, and it has to be properly understood by IT admins working in the different domains of cybersecurity, especially those that work closely with incident response teams.

Stronger Together – A Case for Information Sharing

In a fast-paced digital economy, speed and efficacy are imperative. This means that the amount of data networks manage has exponentially increased, along with the number of devices connected to those networks. Enterprises cannot protect what they cannot see. So in addition to integrated security devices and increased performance; there should be a holistic approach that capitalizes on the value of threat intelligence and detects threat events from the vast volumes of available data. Threat intelligence collected from multitudinous sources, then processed and correlated, is the most valuable, effective, and actionable.

This ‘higher-level’ intelligence has historically been out of the reach of most organizations. In an attempt to bridge this gap, Fortinet along with Symantec, Palo Alto Networks and McAfee formed the Cyber Threat Alliance (CTA). CTA has since been established as an independent organization whose sole mandate is to provide security professionals with the technology and intelligence they require to identify an attack.

Crippling the Kill Chain: The cyber kill chain refers to the multi-phase process of how intruders launch their attacks. To win the battle against the intruder, organizations have to disrupt just one of those steps. CTA helps reduce time to detection by providing near real-time, high-quality cyber threat information sharing and operational coordination between the organization in the cybersecurity field. By utilizing contextual information about the attack – such as the way attackers stole credentials and sensitive data, or the malware being used, organizations are able to get an upper hand, even if the hackers have already compromised the network.

Moving Forward With Threat Intelligence

Coupling the capabilities of threat intelligence with an organizations hardware, software, and policy defense strategy improves the staff’s ability to look for advanced attacks, detect potential intruders, and profile aberrant malware. Current practice mostly involves sharing indicators of compromise (IOCs). As the community matures, the next step should be sharing more context to inform better decision making and direction on a defensive action plan. In order to achieve the promise of threat intelligence, organizations have to tackle and conquer their hesitancy to share information by maturing and expanding their circles of trust.

The cybersecurity industry still has to address the lack of funding, isolated security solutions, scanty correlation of threat data, and the growing shortage of qualified cybersecurity professionals. The end-game should be the automation of cybersecurity processes where possible, freeing up the finite pool of human InfoSec talent for more challenging tasks. Strides are being made in creating machine-learning and data science models that are capable of evaluating network traffic based on the collective knowledge of all previous external and internal threats to verify discrepancies that may evolve into threats.

In Closing

Enterprises solely rely on IT security risk management methods in an attempt to focus on security controls, but these methods have not evolved enough to effectively manage risk. To defend against modern attackers, enterprise security solutions have to be adaptable enough to include new techniques that enhance decision making. Adding threat intelligence to a security solution, whether via a service provider or an internal capability, helps organizations prioritize their security activities and focus on the areas that are likely to prevent attackers.

By using the right methods to identify, handle and prevent these issues, the cost of addressing these problems can significantly be reduced. With a healthy mix of threat intelligence, behavioral threat detection, and endpoint device monitoring, organizations can position themselves to stop intruders in their tracks and expel them from the network if they manage to get in.


Author: Gabriel Lando