In a world where cyber threats are constantly evolving, the importance of Threat Intelligence (intelligence information about threats) is becoming more and more relevant. Understanding who the consumers of this information are and why it is important can help shape an effective cybersecurity strategy. In this article, we will provide a comprehensive look at the spectrum of Threat Intelligence consumers and highlight why this information is an integral part of today’s cyberspace. In this article, we’ll help you understand how to make the most of Threat Intelligence to keep your business safe in the digital world. Consumers of Threat Intelligence can be organizations of various sizes and directions – from small startups to large corporations. They include IT departments, cybersecurity teams, software developers and business leaders.
The main purpose of using Threat Intelligence is to identify, analyze and prevent potential cyber threats that could affect their operations and assets. The value of Threat Intelligence lies in its ability to provide detailed, up-to-date data on current cyber threats, including viruses, Trojans, phishing attacks and other cyber attack methods. This information allows organizations to stay one step ahead of attackers by adapting their defense strategies and increasing their cyber resilience. By analyzing Threat Intelligence data, companies can identify vulnerabilities in their systems, reduce risks and prevent potential incidents. Using this data also helps in developing more effective security policies and incident response procedures. In addition, in the context of regulatory compliance, Threat Intelligence can help organizations ensure compliance with laws and standards, particularly in the areas of data protection and cybersecurity. In conclusion, the growing dependence on digital technologies and the Internet makes Threat Intelligence a necessary tool for any organization seeking to protect itself from cyber threats.
Every two or three years, a panacea emerges in the world of “information security” to protect against cybercriminals and cyberactivists, industrial espionage, and APT cyberattacks. All the installed computer systems were found to be obsolete and morally unfit and it was proposed to replace them urgently. Of course, not for free. There are queues for miraculous medicines, there are not enough licenses. And then the seller woke up.
A similar situation now exists with Threa Intelligence. Very fashionable, dynamic, youthful, but suppliers, users and buyers often understand TI in completely different ways.
Let’s try to figure out what kind of mysterious beast it is, where it “jumped out” from so suddenly, why such intelligence is needed and who is interested, and whether it is possible to engage in intelligence over a glass of your favorite beer.
Threat intelligence involves regularly and systematically gathering information about threats, improving and enriching that information, applying that knowledge for defense purposes, and sharing that information with people who can benefit from it. TI is more than just a signature database for an IDS or a set of rules for a SIEM. IT is processes that have clear and measurable (as far as possible) owners, goals, requirements and deliverables. I will understand TI in that sense.
It must be said that until 2014 there was no threat intelligence. Of course, there is, but this is the impression one gets when looking at the topics discussed at the first conference of the Regional State Administration.
And then the real IT boom began! The list of companies and organizations that offer to buy or share information about threats, attackers and malware consists of 126 lines. And that’s not all. Three years ago, analysts of international research companies answered questions about the size of the IT market: “Don’t worry! Such a market does not exist. There is nothing to consider.” Today, they (451 Research, MarketsandMarkets, IT-Harvest, IDC and Gartner) estimate this market at one and a half billion dollars in 2018.
By understanding cybercriminals and their tools, tactics and procedures (TTPs), hypotheses can be quickly proposed and tested. For example, if a response team member knows that certain malware samples (that the antivirus has just found) are targeting administrative account compromises, that’s a very strong case for checking the logs and trying to find suspicious authorizations.
For example, the probability of exploitation of a particular vulnerability identified in a particular information system may be low, but the CVSS score is high (in CVSS v.3, incidents were logged and probability scores were imported). Therefore, it is important to consider the accepted threat model, the state of the infrastructure and external factors.
In 2015, the SANS Institute conducted a cross-industry survey of IT consumers with 329 respondents from North, Central and South America, Europe, the Middle East and Australia. According to this study, IT customers report positive changes in several IS delivery areas after implementing IT processes.
According to this study, the forms of adaptation are very different.
Only in 10% of cases, organizations have no plans to develop cyber threat intelligence within the company or are not aware of such plans.
Globally, there are two types of TI – strategic and tactical (or “technical” – as you like). They are very different both in results and in ways of using these results.
In order not to write a boring wall of text, we collected all consumers in one table. In each cell, groups of consumers and the results that may be of most interest to them are indicated.
The same set of IT deliverables may appeal to different target groups. For example, “Tools, Software, and Attack Rail” are in the “Technical” field in the table, but of course “Tactics” would also be of interest.
However, there is another party interested in receiving information from the organization: the organization’s partners. Typically, attackers attack the target’s true contractors or partners in the hope that their defenses will be easier to overcome and they can gain access to the target’s information resources. Therefore, it makes sense to organize the exchange of information about attacks and threats between partners.
A large number of CSI publishers and open source project contributors regularly provide indicators, signatures and attack detection rules for firewalls, anti-virus software, IPS/IDS, UTM. In some cases this is raw data, in others it is supplemented with a risk or reputation assessment. Threat indicators are important at the technical level of IT, but often do not provide context for incident response.
Technology vendors and IT companies provide their threat data feeds. These include validated and prioritized threat indicators, as well as technical analysis of malicious code samples, information on botnets, DDoS attacks and types of malicious activity, and tools. Often these feeds are supplemented with statistics and predictions: for example, “Top 10 Encryptors” or “List of the largest botnets”, etc.
The main disadvantages of these streams include a lack of industry or regional specificity and little value for IT users at a strategic level.
Few companies offer truly comprehensive IT: validated consumer-relevant threat indicators, threat data feeds, and strategic IT.
This usually includes:
Checked and marked (tagged) threat indicators.
Detailed technical analysis of attack tools.
Deep research of the enemy, supplemented by information on “underground” sites and from private sources.
Assessment of the threat landscape for the industry and individual enterprise.
Assistance in the development of requirements for TI.
TI specially prepared for users at different levels within the same organization.
Aristotle said so. And for those who are safe, communication is a way to join forces against attackers. There is even a more or less well-known English term: beer intelligence. This is a time when detectives meet and share their findings and suspicions in an informal setting. So, yes, you can also learn some information over beer.
The fourth principle of defining TI, “and sharing it with those who may benefit from it,” is about sharing information. And it can be organized not only according to the B2B (security-security) scheme, but also with the help of a trusted third party (organization), which collects, verifies, anonymizes and distributes threat information to all community members. Such communities are supported by government or public organizations (eg CiSP), volunteers (Vulners) and commercial companies (AlienVault Open Threat Exchange).
So should you implement threat intelligence processes in your organization? It is worth it only if you know: 1) where to apply and how to evaluate TI results; 2) how TI helps IS processes; 3) who will answer the questions posed to the “scouts”, and you can formulate the requirements for the TI.