Threat intelligence enables enterprises to better understand, detect and respond to threats. To mount a successful defense, enterprises need to know their enemies and anticipate their next move. So far, the defenders have been losing.
It’s become painfully clear that our cyber adversaries are moving and evolving more rapidly, sharing information more productively, and growing ever more successful in their attacks on the information security of both private industry and government. The enemy has great motivation: they steal information of significant value – financial and health records, credit card data, intellectual property, information on personnel, government secrets and more.
Name it: if the data has value, or could have value one day, there is a criminal organization out to grab it. Yet, when it comes to cybersecurity, most organizations are just doing what they think they need to do to get by.
It’s time for enterprises step up their game and match the abilities of their adversaries.
That strategy must include keeping patching up to date with a comprehensive vulnerability risk management program, classification of data and information systems and networks, segmentation, monitoring and continuous refinement as business demands and adversarial tactics change. And that’s exactly where threat intelligence can help. When done right, threat intelligence gives organizations actionable information about threats that target their industry or organization.
Enterprises need threat intelligence for many reasons. The most pressing is to identify attacks that are underway or about to occur. That’s why threat intelligence needs to be timely, accurate, relevant to the organization and actionable.
There’s no shortage of stories about insiders selling their employer’s proprietary information, only for the stolen information to end up circulating on the dark web. Sometimes this is intellectual property, such as source code. Other times, it’s attackers trading employee login credentials.
Think this is hyperbole? In the article Dark web hubs paying workers to leak corporate secrets, The Register finds on a private dark net “evidence of staff selling internal corporate secrets to hackers. In some cases staff even collaborated with blackhats to infect their company networks with malware. Staff at an unnamed bank were also found to be helping hackers maintain a persistent presence on their corporate networks.”
According to that story, clients could pay “a subscription of up to one bitcoin a month for access to allegedly vetted and accurate insider information which is posted in threads on the site, then cash in on the information they glean.”
In a more recent story, Hackers are selling access to law firm secrets on dark web sites, cybersecurity firm Q6 Cyber showed CNBC a forum post in Russian where the cybercriminal was offering access to a New York City law firm’s network and files, and was willing to send screenshots as evidence he had broken in. The price for access was $3,500.
The types of data necessary to spot pending attacks or increased risk due to externalities are impossible to identify when just looking at internal security information and event data. They won’t be found by monitoring sources such as security information and event managers, intrusion detection systems, identity access systems, anomaly detection or other internal security controls. And when enterprises monitor only internal sources, they can only respond to attacks already underway.
To head off threats by anticipating attacks before they occur, organizations need threat intelligence. They need to be aware of how geopolitical conditions are changing and placing companies at increased risk. They need to know, say, that executive statements at a conference caught the attention of activists online who are now threatening attacks. This way, they can anticipate and harden systems appropriately by monitoring chatter on the internet, newsgroups, chats, and hacker forums, among other sources.
Most enterprises realize they need threat intelligence to hold a proactive security posture. In a SANS Survey a few years ago, Who’s Using Cyberthreat Intelligence and How, 75% reported that cyberthreat intelligence is important to security, and many of those respondents use cyberthreat intelligence to some degree. But few gather threat intelligence from external sources, so the vast majority of enterprises don’t get the value they need from their efforts.
Still, that’s not stopping them from investing in threat intelligence. According to a 2019 Global Market Insights, Inc. report, the threat intelligence market is expected to grow to $13 billion in 2025, from $4 billion last year.
We’re going to provide an overview of threat intelligence best practices to help enterprises make the most of their threat intelligence. Best practices will help enterprises get to know their adversaries and their likely targets so they can identify threats before they strike.