Threat Intelligence: Do You Have All You Need? Do You Need All You Have?

threat-intelligence-have-all-you-need

We’re going through difficult times, in which a pandemic is hitting the world incredibly hard. Although it’s not the highest concern at the moment, we must consider the economic consequences this outbreak will bring, and its effects on the cybersecurity sector. One thing to consider is the fact that there are still security incidents occurring, with attackers taking advantage of the current health and economic crisis. In addition, most companies have moved to remote formats and teleworking presents the need to implement security measures previously not needed and reinforce existing measures. That said, organisations should now take a look at the cybersecurity investments and strategies they planned a couple of months ago, and make urgent decisions about what they need to maintain business continuity and defense in the current landscape.

Every kind of business has to adjust their cybersecurity approach for the new reality, but surely organisations are up for the challenge!

Threat Intelligence: Definition and Approaches

Threat Intelligence can be defined as evidence-based knowledge of existing or emerging threats. It provides us with useful and practical information that enables decision making and protects an organization against present and future threats. However, the market is full of security providers that offer Threat Intelligence solutions that seem interesting, when in reality their practical usefulness in many environments is not so clear.

There are many current information services that filter irrelevant information, while also grouping and connecting interesting data and providing knowledge about current threats for those who are not versed in the matter. This allows us to obtain a comprehensive and more accurate vision of the environment that encompasses us, but the value of this information is not easy to quantify.

Despite all their limitations, organisations can find many lists of indicators of compromise in the market. Lists are popular because they are a direct and simple way to have something measurable and, above all, something that allows you to act and which you can apply in a practical way within your organization.

These traditional approaches still exist, but of course, they have evolved. The one that has been adopted for a long time now tries to model the way in which attackers operate, assuming the security breach, and refusing to simply shield the perimeter. This information enables new anomaly checks to be established throughout the IT infrastructure, not to mention the even less mature OT security infrastructure, and to effectively expand security coverage.

The Three Levels of Threat Modeling

As in other areas of Threat Intelligence, this study and modeling of attacks and attackers can be separated into several levels:


1 – The most abstract one deals with knowledge about active attackers from a global perspective, which will allow the establishment of generic defense measures.

2 – On a second level, attacks on a specific sector can provide a different point of view of the same threats, emphasizing certain aspects of companies belonging to said sector that may be masked in a comprehensive analysis because it’s something that does not apply to the rest of the sectors. It also allows the discovery of the weaknesses or the most attacked points in companies with a specific profile.

3 – Lastly, and perhaps most interestingly, this approach can provide information regarding attacks against a particular entity, with specific information about the way the data is obtained and about attacks on a certain infrastructure.


In Praise of Proactivity in Cybersecurity

We shouldn’t dismiss any of these three levels, but it seems clear that the more specific the information handled is and the more targeted the attacks analyzed are, the better the defense will be. It’s obvious that obtaining this information is more complicated. That is why companies must take proactive measures to gather it since they are the ones that suffer attacks and have access to data that no one else can provide them.

Acting is not easy, but companies must take advantage of every resource within their reach and extract value from all the activities that catch their attention. If they can study how a potential adversary searches for information about them, then they can understand what this adversary is interested in. If companies can analyze the criminal’s behavior when he or she tries to exploit the perimeter, then they can defend it better. If they can learn what techniques attackers use to move around their network, then they can detect them when said attackers manage to exceed the perimeter.

So, organisations: Be proactive! Don’t dismiss any information about a possible attack as you gather and analyze data. Set traps along the way and more thoroughly analyze the adversary to know who you are facing. This way, you will be able to defend yourselves in the best possible way, because the attackers won’t ever go away.

Like Jim Morrison said, this is the end. But you can...