By Srinivas Prasad, Vice President – Security Practice, NTT Global Data Centers and Cloud Infrastructure, India
Information is of immense value in every industry – more so, if it involves intelligence and data about adversaries and techniques that can compromise your company’s defenses. This is especially important in today’s era, where there has been a surge of cyberattacks. Cyber criminals have been quick to exploit vulnerabilities using every possible virtual weapon at their disposal – from using ransomware to cryptomining to planning DDoS attacks to even using time tested phishing emails and social engineering based techniques to breach defenses.
Can these attacks be stopped or prevented? Many enterprises today are seeking to do that by taking advantage of threat intelligence services. Threat intelligence can provide contextual information like motivation, TTPs (Tactics, Techniques and Procedures) and tools used by adversaries. Defenders are increasingly relying on threat intelligence nowadays for early detection.
Threat intelligence constitutes analyzing data using intelligent platforms and processes to obtain valuable information about existing and emerging threats and is an extremely important component in a CISO and CIO’s arsenal for ensuring security.
According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard”
Using data from threat intelligence, companies can fine tune their security processes to ensure early detection and prevention of attacks. It can help companies identify and prepare themselves in a better way by understanding the motive and TTPs of attackers and their capabilities. Organizations, can hence be proactive in establishing good security posture instead of being reactive against cyber-attacks.
The whole objective of a holistic threat intelligence service is to provide enterprises with actionable information that can proactively stop threats, contextualize information for the managed threat detection and response services team and enhance the company’s incident response capabilities to help quickly respond and resolve attacks.
Threat intelligence services provide Strategic, Tactical and Operational intelligence which help enterprises better understand emerging cyber threats, the key strategies of various threat actors, targets, campaigns, tactics, techniques, and procedures. This data can be used by enterprises to ensure appropriate countermeasures when under threat.
Threat intelligence service typically is aggregated from multiple sources global & domestic and continuously aggregated at a centralized location. Insights from this data, is then used for early detections and correlations for recommended actions to be taken by the enterprise security team. Data is collected from multiple sources.
This includes but is not limited to:
• Nodes that collect data about suspicious behavior
• Incidents captured on MDR platforms and analyzed by incident responders
• Community forums and regulatory authorities
• Security Analyst community
• Social media platforms
• Dark Web platforms
• Vendor community that provide commercial feeds of threat intelligence data
Using threat intelligence for proactive threat monitoring
When enterprises get access to threat intelligence, they can use it at different stages of their enterprise security strategy. For example, APT related information can be used for understanding the tactics of threat actors and the tools and techniques they typically use. Information about indicators of compromise can be used to understand if an enterprise has been breached in any way. Information about techniques used by cyber criminals can be used to fine tune and customize the cyber security strategy. If a critical vulnerability is detected, an alert is immediately sent, which helps the team to plug any gaps and do the necessary upgrades. This helps the team to be ready for any threats and prepare the infrastructure accordingly. Additionally, data feeds about malicious URLs, illegal servers, malicious botnets and phishing URLs are constantly made available to enterprise security teams, which helps enterprises react quickly and effectively.
Similarly, intelligence on the source of the attack or past attack patterns or targets of attacks can be used to correlate attacks and to prevent future attacks. Insights from these attacks can be used to prevent incidents from happening in the first place. Enterprises can additionally use this information to proactively hunt for information about undetected attacks whose fingerprints can be buried in large volumes of log data. Threat intelligence platforms can help incident response teams respond accurately and more effectively, and give them the capability to prioritize the vulnerabilities that threat actors are more likely to target.
In summary, threat intelligence can give CIOs and CISOs with a real-time visibility of the latest threats, vulnerabilities and events, which can give these leaders the ability to respond to threats in a proactive manner.