Most breaches start with an email. These ubiquitous messages are the most dangerous cyber threat even in the technologically advanced and industrialised Middle East. Whether they hide malware or impersonate an executive ordering money transfers, email-borne attacks are constantly honed to bypass perimeter defenses.
Defending an organisation against today’s advanced cyber-threats is a Herculean feat. According to a survey by Bitdefender, the strain is so acute that 53 percent of security professionals are considering resigning if they can’t increase their budgets or hire more staff. However, forward-looking decision makers have found an efficient way to alleviate this pain point. Instead of taking the placebo path and piling countless layers of disparate security solutions on top of one another, in the hopes of filling all cyber-security gaps, IT leaders today are turning to a simpler and smarter approach ― enter actionable cyber threat intelligence (CTI).
Weaving threat intelligence into your cybersecurity fabric
According to the 2019 Gartner Market Guide for Security Threat Intelligence Products and Services, 20 percent of large enterprises will use commercial CTI services by 2022 to bolster security ― an increase from fewer than 10 percent today. But why is threat intelligence suddenly such an appealing approach to combating advanced cyber-threats?
Today’s high-performing companies are embracing threat intelligence for an array of uses, such as security data augmentation, phishing investigations, incident response, vulnerability management and detailed malware analysis. CTI lets security teams improve defenses by triaging and prioriti sing alerts while increasing efficiency and productivity. Often integrated with Security Information Event Management (SIEM) or Endpoint Detection & Response (EDR) solutions, CTI correlates data gathered from inside the enterprise with indicators about external threats. By narrowing the range of threats marked for investigation, threat intelligence can more quickly and accurately identify the risk of a breach, or a breach that is penetrating your infrastructure. But, in one area, TI makes all the difference: email.
Email – still the most common attack vector
Data collected by Bitdefender researchers in the past 12 months indicates that the global volume of spam has increased 48 percent year-over-year. Spam remains a key delivery mechanism for malware, (banking Trojans, ransomware, etc.), or scams like the Nigerian prince, fraud and impersonation (business email compromise / BEC). Spam is the go-to weapon for cybercriminals. It can help in social engineering by gaining victims’ trust and compelling them to quickly open an attachment, click a link, type in a password, or even wire funds directly to the attacker’s account.
Spam takes many elusive forms, some of which can sneak past perimeter-level defenses, like next-gen firewalls and intrusion prevention and detection systems (IPS / IDS). Spear-phishing and whaling ― also members of the spam family ― are even bigger threats to an organi sation. Whaling scams, also known as Business Email Compromise (BEC), essentially forge a boss’s email address, or compromise the boss’s email account outright in order to send fraudulent messages inside the organi sation. Typically, BEC operators ask a victim to transfer funds into a bank account they control. BEC scams have so far netted over $12.5 billion, according to the FBI’s cyber-crime fighting group, the IC3. Emails sent in the name of the CEO can easily get past your firewall unless your filters use proper threat intelligence to spot the scam.
So, how can security teams leverage threat intelligence to combat hackers’ most successful attack avenue? Well, it all boils down to the quality of the filters employed to parse the data. This is the key selling point for TI vendors and the key to success for prospecting buyers alike.
Fine grain detection
Applied to spam, phishing, spear-phishing and whaling, threat intelligence can catch malicious emails targeting certain industries, sniff out emails laced with elusive malware, and spot campaigns using sophisticated methods to evade detection. For example, machine learning models analyse the text in the email for even the smallest clues that something is amiss. IP, domain and URL reputation (spam threshold from those sources) are measured constantly for blacklisting and whitelisting. Tags ― like employment, lottery, stock, pharma and dating ― help categori se emails as suspicious before other filters kick in to infer or rebuff the validity of the email. And the list goes on.
Current threat intelligence vendors overestimate the customer’s capabilities. All of the above can be served up directly to your security team, or, if you lack the manpower and skill in-house, you can outsource it to your vendor’s army of security experts trained to tweak those knobs for you, based on your business model, industry type, technical requirements, etc.
In the context of spam, threat intel correlates data points from multiple levels and angles to determine whether the email you are looking at is malicious or legitimate.
Separate the best from the rest
When choosing your threat intel vendor, first look for easy integration with your existing tooling (SIEM, TIP, SOAR), targeted threat intelligence based on company profile, and predictive and strategic data.
The best vendors deliver top-rated security data and expertise by leveraging dedicated anti-spam, anti-phishing and anti-fraud technologies, indicators of compromise on every layer of your infrastructure, internal crawling systems, email traps, honeypots and data from monitored botnets, advanced heuristics and content analysis. Top rated solutions also include an internal virtual machine farm that executes prevalent malware and collects threat information and, ideally, collaborates with other cybersecurity industry players, international organi sations and law enforcement agencies.
And last, but certainly not least, always prospect those vendors whose reputation precedes them.
