These days, hardly a day goes by without some news about cybersecurity threats. Credit card information gets stolen. Social Security databases get hacked. Customer data breaches occur, exposing private personal information. Ransomware shuts down businesses, hospitals, and government agencies alike. Clearly there’s a battle underway. Businesses and organizations need to understand the threats they face, and how best to fend them off, lest they lose out in one way or another. That’s where threat intelligence comes into play.
According to WhatIs.com, threat intelligence is “organized, analyzed and refined information about current or potential attacks.” Such information is often abbreviated CTI, for cyber threat intelligence. In other words, CTI provides important information about potential threats to your business operations, and your data’s integrity, privacy, and confidentiality. But threat intelligence means more than awareness. It also requires understanding what motivates criminals to exploit vulnerabilities and mount attacks against systems and information.
Threats are escalating at an ever-increasing rate, with 62% of businesses reporting phishing and social engineering attacks in 2018 (Cybint Solutions, 2019). A Clark School study (University of Maryland) finds that a hacker attack occurs in the USA every 39 seconds on average (Security Magazine, 2017). In the same vein, Accenture (2019) reports that two-thirds of business leaders (68%) believe their cybersecurity risks are increasing. All this nefarious activity led to data breaches that exposed 4.1 billion records in the first half of 2019 (Risk-Based Security). No wonder, then, that Gartner forecast in August 2018 that worldwide cybersecurity spending would approach $134B in 2022!
For companies and organizations to properly assess potential threats, they must look at both internal and external sources of information. Each is important, and each can provide valuable insights into potential, emerging and actual threats.
Internal information sources show what’s happening inside your organization, and along its boundaries with external networks and access points. Such sources include the many log files that OSes, security software, applications, and devices generate as they do their jobs. They also include alarms and alerts that such infrastructure elements generate, as well as output from security information and event management (SIEM) systems in use in many organizations. And finally, incident response reports from helpdesk, support, or incident response staff can provide particularly relevant information about attempted or successful exploits, analysis, and remediation efforts used to fix or work around them.
External information sources provide valuable information about what’s going on outside your organization’s boundaries. Not everything out there is relevant to what’s inside your boundaries. But information about common and current threats is easily filtered to limit your purview. Thus, you can concentrate on threats relevant to the specific systems, platforms, OSes, devices, patch levels, and so forth, present in your organization. External information sources include security blogs, publications, and newsletters.
They also include publicly available information about current vulnerabilities and exposures (such as Mitre’s CVE) or the Department of Homeland Security’s National Cyber Awareness System Alerts database. Third-party security companies also maintain their own threat intelligence databases and reports based on independent research, and analysis of events and alerts obtained through their customers (which can number into the tens and hundreds of millions). Subscriptions to one or more of such private, fee-based threat intelligence services are an increasingly important part of due security diligence nowadays.
Organizations can – and should – take proactive steps to improve their threat intelligence acquisition and response mechanisms. The following items are essential elements that will help organizations to improve their threat intelligence, and help them avoid exploits and compromise: