Threat intelligence has increasingly gained popularity as threat prediction and proactive cyber defences have proven effective in mitigating cyber-attacks. ThreatQuotient senior vice president of strategy Jonathan Couch discusses how enterprises can pull strategic value from threat intelligence.
Give a brief overview of ThreatQuotient’s operations.
ThreatQuotient provides a security operations platform which enables collaboration and efficiency to security teams by connecting people, process, and technology and focusing on the threats to your organisation.
How is threat intelligence developed? How can organisations translate this data into actionable defence against cyber-attacks?
Threat Intelligence has moved into the commercial world from governments and militaries over the past 15 or so years. It is typically developed by collecting information on what the bad guys (often called ‘adversaries’) are doing and then sending that information to organisations that may be affected by those attacks. Intelligence follows a lifecycle and the differences in intelligence are typically due to variations in the lifecycle.
A simplified threat intelligence lifecycle entails collection, analysis, and dissemination. Collection can occur in underground forums, monitoring of botnets and adversary infrastructure, from victims of attacks, from social media, or your internal security sensors. Meanwhile, analysis is the process of validating and verifying a threat and adding context to the technical information (e.g. Is it cybercrime or espionage or hacktivism? Is it ransomware or an exploit kit?). Finally, dissemination is how that information or intelligence is delivered to a consumer whether it is via a published report, machine-to-machine API, web portal, email and so on. Dissemination is the format, frequency, and content of the information. Without going through this lifecycle, it is just data/information, not ‘intelligence.’
As for putting these insights into practice, there is a general assumption in the industry that actionable means technical data that machines can consume and use to block or alert. Actionability is defined by the consumer: while the SOC may find indicators sent to the SIEM to be actionable, a CISO won’t. All the intelligence an organisation has on something must be aggregated, de-duplicated, and correlated and then the security team needs to define the format, frequency, and content for each of the stakeholders in the organisation.
Can you give three key factors enterprises need to keep in mind in building an effective threat intelligence framework? What kind of solutions or resources should CISOs invest into?
The three things organisations need to consider when creating threat intelligence or selecting a Cyber Threat Intelligence (CTI) provider are context, relevance, and follow-on.
CTI frameworks must focus on context and answer some of the ‘who, what, when, where, why and how’ behind cyber-attacks. Organisations need to understand that having lists of bad domains, IPs or hashes without any context isn’t intelligence, it is just data and doesn’t support smart decision-making.
Secondly, relevance is how security teams can help to filter all of the information and intelligence out there and narrow it down to the items that matter most to their specific organisation. Prioritising relevant intelligence helps teams be more efficient and effective and focus on specific threats they know will cause damage.
Finally, security groups should consider intelligence follow-on, which entails answering questions that consumers such as CISOs, SOC analysts and incident responders have around various threats. Organisations need to be staffed and ready to research and provide answers to these questions vs just throwing reports or data at people and not being able to explain it or make it relevant.
CISOs need to invest in solutions that give them the breadth and depth of coverage and insight into their enterprise as well as intelligence feeds and platforms that can interact with those solutions. All of these need to work in concert. There is no value in having the best intelligence on malware that is targeting your organisation without the right solutions in place on your endpoints to block or deliver alerts on that intelligence. Likewise, if you have an EDR solution but have no platform to take intelligence from feeds, prioritise it, find relevance, and send it to the EDR solution, you will face issues with finding the real value in cyber threat intelligence.
How do technologies such as automation and machine learning enhance threat intelligence tools and processes?
Machine learning and artificial intelligence (ML/AI) are still fairly new in the industry but there are some tools out there that are leveraging these trends to better identify threats in the network and adapt to resist, block or recover from them.
I am more a fan of automation currently. If you have comprehensive security infrastructure, then you can automate many facets of intelligence in your environment to block cyber-attacks. In addition, you can drastically increase your capability to detect and respond to these threats. Cyber-attacks are inevitable and will always get through your defences no matter how good your security strategies are. However, organisations can leverage automation to quickly detect those attacks and remove them from your network.
Midsize businesses may find gathering and leveraging threat intelligence daunting as they often lack the resources and expertise to do so. How can SMBs address this challenge?
SMBs can employ a managed services provider but they can also look at joining various sharing groups or cheaper intelligence provider solutions. MSPs will give smaller companies the advantage of being able to access the intelligence gained by other MSPs and clients.
How is the demand for threat intelligence solutions in the Middle East region?
The Middle East has witnessed a significant increase in threat intelligence projects over the past year. Many enterprises are going through security uplift projects and they want to be at the leading edge of security and incorporate threat intelligence and threat intelligence/security operations platforms into their security operations. A driving factor behind this is also the move to start incorporating more security into operational technology networks that oil, gas, and energy companies rely on when extracting, producing, shipping and delivering their products.
How vital is threat intelligence sharing in combating future threats?
Threat Intelligence gives organisations insights into attacks beyond their infrastructure. By seeing and understanding how threat actors carry out their attack, organisations can better prepare themselves. Furthermore, by looking at how attacks are evolving, organisations can also detect trends and anticipate future attacks allowing them to better plan and prepare their security teams.
How do you see the adoption of threat intelligence tools evolving in 2020? What role can ThreatQuotient play in the growth of this segment?
ThreatQuotient is moving more towards offering a ‘security operations platform’ as opposed to a specific threat intelligence platform. Our take is that threat intelligence needs to be connected throughout people, processes, and technologies. In 2020, organisations are going to adopt threat intelligence more and more, but they will also want to see the value from it. To see that value, they need to have threat intelligence supporting all of their stakeholders – including executives and non-operations roles – and it should be integrated into all of their IT tools to help their teams collaborate better. What one team within the business learns about a threat should be immediately shared and available for all of the other teams.