A whole lifecycle of threat intelligence, from planning and collection through to analysis and dissemination, is needed to meet and defeat threats.
According to Dr David Bailey, CTO for Cyber Security at BAE Systems Applied Intelligence, the importance of threat intelligence is apparent for all organisations, especially in the wake of some high profile cyber attacks.
Speaking at an event for the Telco community, Bailey said: “Threat intelligence is a vital component of rapid detection and recovery from an attack – it gives compromised organisations the knowledge and confidence to react quickly and with precision to limit the damage caused by these breaches.
“GOZeuS and Cryptolocker, the subject of recent takedown activity by the FBI and the NCA in the UK, provide a real example of how threat intelligence can feed into law enforcement to reduce the threat, and protect businesses and consumers. However, this is only a temporary reprieve – the NCA estimates that the network could be up and running again in two weeks. To manage the threat on a long terms basis, threat intelligence needs to be an enduring part of the way in which businesses conduct security for themselves and their customers.”
Speaking on the value of intelligence sharing, Bailey said: “Information sharing, with bodies such as CERT-EU and partners, public and private, is essential but it is only part of managing the threat from state-backed groups, organised crime and activists. We advocate considering the whole lifecycle of threat intelligence, from planning and collection, through analysis and dissemination.
“The link to the operational environment is key, and when done well, not only helps organisations protect their own information and systems but also help protect customer data and devices. This can open up important new revenue streams for service providers and security companies alike as we see more and more value add services which incorporate security and intelligence capabilities from the ground up.”
Oliver Pinson-Roxburgh, systems engineering manager at Trustwave, said that crowd-sourced intelligence from a greater footprint than just the individual company is a great way to get early warning signs, and to find that needle in the haystack when being bombarded with security information.
“Threat intelligence is something good MSSPs provide in an easy to consume way and use in their service to help the small businesses thwart the attackers attempts or to get better at seeing the early warning signs of attack,” he said.
Stuart McKenzie, senior security consultant at Context, told IT Security Guru that threat Intelligence can play a major role in a cyber investigation post compromise, and it uses its own Threat Intel Team to examine attackers’ tactics, techniques and procedures to attribute the attack and understand what the attacker motivations were.
“In an active investigation this can keep you one step ahead of the attackers,” he said. “There is also tremendous value in understanding the tools the attackers deployed during the compromise, the exploit chain, the method of exfiltration. These can all be used to build indicators of compromise which can be used to prevent future attacks and enhance investigations.”
McKenzie said that taking down major botnets is a move in the right direction, but clear and coherent advice to end users on how best improve cyber hygiene needs to accompany the headlines.
TK Keanini, CTO of Lancope, said that bad guys hate being detected, and hate it even more w
hen they are evicted. “After they are discovered and some remediation takes place, I think it is even more important to have accurate and actionable threat intelligence because they are not going to go away, they are just going to return in a different form for you to detect and remediate again,” he said.
“In the most general and highest level, your adversary has intelligence on you that is likely accurate and actionable, you in turn must have intelligence on them that accurate and actionable. Threat intelligence is a broad category and includes, but is not limited to, the threats capabilities and tactics but also what assume they know about you and your capabilities and tactics.”
Asked if threat intelligence can help with responding to an incident, Keanini said: “Knowing as much as you can about the threat actors can only help and equally important is knowing more than the threat actor about yourself and your own network. Having the right level of operational visibility on your network is critical before, during and after the incident. In general, intelligence drives good decision making on the part of the defender and the attacker so use it early and use it often.”