Despite the gloomy cyber attack headlines, many organisations are moving along the cyber security maturity curve and the adoption of intelligence led security strategies has increased. One of the main drivers is the sheer volume of data that comes in and out of a business, which makes it difficult to divulge actionable insight. A lot of data that is not conveyed in the right way can be just as bad as not enough and this is the situation that many companies find themselves in, resulting in threat overload. It comes as no surprise that one in three (32%) security professionals indicate they lack effective intelligence to detect and action cyber threats according to a recent survey[1].
Unfortunately, many security teams are not optimised to deliver on this volume of threat intelligence and are often over-worked, spending far too long doing the (very necessary) simple, basic tasks, but never stepping back to look at what’s going on at a macro level. Many strategies are still in their infancy, more reactive than deliberate. But threat intelligence can no longer be seen to be adding to the big data problem, or just providing tactical indicators.
Security teams must get the people-process-technologies triangle right. When considering which tools to invest in, they should be looking for technology that can assimilate both human-readable and machine-readable information into one easy-to-consume resource. As well as analyse threat data from multiple sources in real time, enabling analysts to quickly and easily assess whether to take defensive action. This potentially reduces the window of vulnerability down to a matter of hours and minutes.
Businesses can therefore identify the threats they must take notice of, which gives them actionable and relevant insight. This automates processes, ascertains valuable outcomes and helps to find insights, which is essential. Such solutions begin by cataloguing information about the identities, motivations, characteristics, and methods of attackers. This knowledge is put in context against real-time activity to identify invasive behaviour with evidence-based knowledge. Customisation is also possible, tailoring tools to suit any network, as threat alerts should be informative, not just alarming. For example, enabling you to discover whether your data is the object of someone’s desire or if your network was simply unlucky.
All of this automation is imperative but the reality is that cyber actors are people too. Human intuition and human intelligence collection (HUMINT) are crucial, as they contextualise threat data into useful and actionable outcomes. Such useful context includes geo-political circumstances, economic struggles, or attacks that are made public that have impacted another industry or organisation. This results in broader visibility and enrichment to existing intelligence collection mechanisms.
It is therefore important to have a robust security team, but also, when choosing the right technology partner ensure that you know the individuals behind the tools. It’s essential they can provide help with both the equipment and people side of intelligence. As well as aid to curate data in a way that is useful to each individual company, contextualising adversaries specifically to an environment and filling any skill gaps. Or during an incident add extra layers of capabilities such as utilising multi-lingual expert security analysts.
In the case of threat intelligence providers, labs teams are continuously monitoring malicious activity on a global scale. While deep and dark web specialists can garner in-depth insights from the murky underworld of the cyber-criminal. This gives you access to more privileged conversations, tools, techniques and exchanges. Adding another human aspect of intelligence.
A DIY Deep Dark Web Service of your own just isn’t possible. Threat actors come from myriad locations across the globe, the linguistic and cultural barriers are huge and penetrating the relevant communities requires extensive trust. Many communities are invite only, so appropriate anonymization practices are required, and as you can imagine, threat actors are constantly on the lookout for “moles”. Building trust and respect takes time and so a third party that can do this is an essential part of a robust security posture to help navigate the murkier side of the web. Subsequently you’ll gain further contextual information that will help to understand the bigger picture of a threat.
As the threats posed by cyber criminals continue to grow, you must simplify the noise of data to find the threat intelligence that is relevant and actionable for your organisation. Disseminating the influx of information, analysing vast volumes of data in real time, and applying both machine and human intelligence to help prioritise malicious activity. You need a deliberate strategy that enables you to be the commander of cyber threats, no longer just mowing the lawns and trying to keep the bad guys out.
[1] Survey of 153 attendees, representing a range of industries, conducted by Anomali at InfoSecurity Europe, June 2017
Richard Betts, Head of International Financial Services at Anomali
