Cyber threat intelligence offers an in-depth look at the potential threats and attack vectors facing an organization. Each organization is different, and in these differences there are a variety of ways cybercriminals can exploit a company. Security tools such as firewalls and antivirus software protect against several of these threats, but they cannot protect an organization from everything. This is where cyber threat intelligence plays a crucial role.
Threat intel gives an organization the ability to identify threats, understand where any lapses in security have already occurred, and gives direction on how to proceed concerning these vulnerabilities. This is a lot of information for any organization to handle on their own, especially since the cyber landscape continues to change.
“The field is constantly growing and evolving; there is no shortage of cyber information, which means it can be very easy to get overwhelmed with it,” said Aaron Bay, chief analyst at SurfWatch Labs. “We sometimes forget to take a peek at what is going on with the rest of the world.”
Yesterday we talked with Bay about the role of the cyber threat analyst. Today we finish our conversation, and focus on how threat intelligence can help organizations.
Why does a company need to implement threat intelligence on top of their existing security?
Having security tools such as firewalls and antivirus software is critical; you have to have them. If you don’t have these tools, you are already at a disadvantage. These security tools are paramount, but the information derived from them can be overwhelming. From what I have seen, a lot of time companies will simply buy these tools, plug them in and forget about them. From a threat analyst perspective, what we do when we give companies information about threats affecting their industry is show them the known mitigation of the threat. We can only lead the horse to water; we can’t make it drink. But if we can give organizations enough pertinent information where they are asking, “Does my defense actually protect us against this?” that goes a long way.
A lot of the time companies are putting up boundaries to stop threats from getting in, but they might not necessarily know when information gets out. They may be breached, and their information could have been compromised. They could also be attacked at a point they weren’t protecting such as point-of-sale systems. A bank has credit and debit cards, and the bank itself is usually pretty well protected against direct attacks. All of that can be defeated by a skimmer on an ATM. Knowing these attack vectors and knowing this is another way cybercriminals can get to your customers’ data can really help mitigate risks. If we as threat analysts are looking for these attack vectors and alternative methods, then we can help an organizations be better prepared and protected against threats.
Cyber threat intelligence is a relatively new avenue in cybersecurity. Are companies seeing value in this?
Cyber threat intelligence is still a growing field; it is definitely still evolving — as it should be. Threats are evolving, so this field that focuses on these threats is evolving as well. I think, for the most part, everybody is doing the best job that they can. It’s hard for a business to feel like they are getting a return on their investment from IT security in general. When you get that big win, when you catch something that no one else caught, either protecting some data or helping stop something before it became a big deal, then it is easy to see the value of it. For companies, as long as everything is working, the people who make decisions about IT and their infrastructure don’t necessarily want to know what goes into keeping everything running. They just want it to work. If everything is working, it is easy to not respond and spend money on keeping everything running. In their mind, everything is working. It appears that not much has to be done to keep things running, why would they spend more money on it?
How can companies providing cyber threat intelligence improve?
If there is a way to improve our field it is really just to work together as a community to make sure companies understand the value of cyber threat intelligence. I feel like we are doing a good job, but I feel that the industry isn’t ready for the message. These companies are being attacked left and right, and it feels like all we are doing is showing up and telling them they need to be doing security better. To actually translate everything that is going on, distill it and focus it on the company specifically is really the best approach. I am glad that SurfWatch Labs is going down this road. Showing companies why they need to care about this information that is being presented to them is very valuable.
I also think that internally, for our customers, we sit between business operations and the IT department. We aren’t just supporting IT security or just enabling compliance with the various IT regulations a business must adhere to. A Cyber Threat Intel Analyst should be assisting the translation between business units — and the various IT and cyber risks they face — and helping them understand sometimes how two separate threats are actually part of a larger threat against the company. I believe that is when we can really show our value.
For example, let’s say an attacker breaks into a company and steals credentials to the gaming platform that is hosted by that business. The network defense team should detect that and stop it. If a new attack is being used that has never been detected before and no signatures have been created for it yet, it’s possible the attack may go unnoticed. Soon after this undetected attack, separately, your cyber threat intel analyst discovers that someone dumped some credentials to your game on the dark web or is selling them. If that credential dump is only passed on to a third group such as customer service in order to reset accounts, but the network defense team isn’t made aware, then the source of the leak may not be plugged. Or if the developers are not notified, and the vulnerability came from a bug in the software that the company created, then again the problem will still be there.
What are some of the achievements cyber threat intelligence has accomplished. Is it changing the game?
It is changing the game for sure. Some of the big wins cyber threat intelligence has gotten comes from exposing malicious activity in general. When you can find those hidden gems and expose what is going on those are the big wins. Seeing the new carding efforts and all the things that are going into combating organized crime is very rewarding. The big ones are of course things like uncovering STUXNET, and all of the pieces that went along with that. The Mandiant APT1 report I think spawned a whole new movement with regards to CTI, some good some bad, but it got a lot of people to sit up and take notice, and that’s really what we want.
We talked about how new the field of cyber threat intelligence is, but that is also exciting. Being in a field with all of this different stuff going on makes cyber threat intelligence a very exciting field to be a part of and stay focused on. I look forward to the future.