How to derive true value from actionable threat intelligence

cybersecurity

#1

Intelligence has long been a prized asset for organisations, government and armies. In the past, it’s what won wars: just look at the crucial role of the code-breakers of Bletchley Park. But today, IT teams are caught in the whirlpool of reality because of the overwhelming ratio of threat intelligence. The problem is that they cannot do much with it. We must therefore focus not on gathering intelligence per se, but on ensuring it is actionable and relevant.

That means moving beyond industry hype to redefine what matters most to stretched threat teams protecting their organisations on the front line: quality over quantity.

The media rife with stories of security and data breaches and online attacks causing major service outages. A UK government report from April 2018 suggested 43% of organisations had experienced a cybersecurity breach or attack in the previous 12 months — but even these figures could be an under-estimate.

In the meantime, big-name brands continue to suffer consequences of inadequate threat intelligence. Over the past few months alone, we’ve heard of a huge database breach at Marriott International affecting half a billion customers, a similar raid on over nine million Cathay Pacific customers, and a digital skimming campaign which has compromised card data from hundreds of e-commerce websites around the world.

These are just the tip of the iceberg. According to NTT Security’s 2018 Global Threat Intelligence Report, based on data from over 6.1 trillion logs and 150 million attacks, there was a 350% increase in ransomware detections alone over the previous year. The finance sector was the biggest target for attacks, suffering 26% of the total spotted during the period, although it certainly wasn’t the only industry in the firing line.

In response to the growing cybersecurity risk facing organisations, the threat intelligence market has expanded rapidly over recent years. A simple Google search will reveal hundreds of providers crowding the space. Yet whatever the marketing hyperbole may have you believe, 98% of them are selling the same type of product/feed.

This kind of off-the-shelf threat intelligence is available to any organisation prepared to pay. But it’s not necessarily effective. The type of cyber intelligence required by an oil and gas company might be very different to that which a financial institution finds useful, for example. No two organisations are the same.

To become relevant and actionable, intelligence must be customised. It’s not just a case of switching on a few threat data feeds. Intelligence needs to be developed over time, with human expertise playing a key role in this. It is an intelligence-driven holistic security process that may result in a few mistakes along the way, but that shouldn’t distract you from the ultimate goal.

Here are five steps to attain the ‘Holy Grail’ of actionable intelligence:

  1. Business and risk alignment: This is about understanding the mission, scope and authority needed to mitigate risk.
  2. Visibility: Define the visibility required to achieve mission readiness.
  3. Content: Build enablement for detection — including use cases, situational awareness, and baseline.
  4. Security operations: Respond, contain and hunt to achieve the mission of rooting out known and unknown threats.
  5. Applied intelligence and analytics: Analyze, attribute and predict the threat to refocus the mission.

The key is to first understand what your organisation’s key assets or “crown jewels” are via a risk analysis. Then it’s all about filtering out the “noise” to prioritise intelligence relevant to your business. We can then move forward to proactively hunt for threats, map attack patterns and outline the black hats’ tactics, techniques and procedures (TTPs).

You are then in a position to pre-empt the bad guys. That’s the true value of actionable threat intelligence.

By Azeem Aleem, Vice President Consulting at NTT Security.