Aleksey Lapshin
In the digital era, information is at the heart of everything. The more information you have and the sooner you can obtain it, the more competitive you will be. This is also true in cybersecurity, where timely intelligence can provide you with a robust defense against both emerging and well-known threats.
Because of this, organizations have developed the intelligence-driven cybersecurity strategy, a data-driven approach to cybersecurity that utilizes insights from a wide range of internal and external sources to identify and reduce cyber risks.
Intelligence-driven cybersecurity involves collecting, analyzing and interpreting data from security logs, incident reports, threat intelligence feeds and other sources to gain visibility into the threat landscape and the organization's security posture.
How Threat Intelligence Can Bolster Cybersecurity
Organizations often rely solely on internal sources of threat intelligence, such as security logs and incident reports, but this can be risky, as internal sources may miss emerging and unforeseen threats.
External threat intelligence products, such as feeds and centralized databases, can help organizations address this gap by providing them with insights into the latest threats, attack vectors and tactics used by adversaries. External threat intelligence can be obtained from a variety of sources, including:
• Commercial Threat Intelligence Vendors: These vendors collect and analyze data from a variety of source—including the dark web, social media and public databases—to identify and track emerging threats.
• Open-Source Intelligence (OSINT): OSINT is publicly available information that can be collected and analyzed to gain insights into threats and adversaries. OSINT sources include news articles, blog posts, social media posts and malware repositories.
• Information Sharing And Analysis Centers (ISACs): ISACs are forums where organizations can share threat intelligence. ISACs typically focus on a specific industry or sector, such as healthcare or financial services.
A solid approach to collecting threat intelligence should include a diversity of sources, each with its own strengths and weaknesses. For example, threat intelligence supplied by malware sandboxing solutions, a type of commercial vendor, can provide organizations with several unique benefits, including:
• Analysis Of Malware And Phishing Campaigns: Unlike antivirus solutions, malware sandboxes comprehensively analyze every file and link uploaded by their users, revealing indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs). They then make their threat intelligence available via threat intelligence feeds or searchable repositories, enabling analysts to learn about threats without manual analysis.
• Early Warning Of Emerging Threats: Threat intelligence from malware sandboxes contains information on the latest malware variants, as sandboxes receive a constant stream of fresh uploads from users around the world. This early warning enables organizations to take proactive steps to mitigate and respond to emerging threats.
Common Threat Intelligence Use Cases
Once the relevant information has been gathered, threat intelligence can be applied across a variety of scenarios, including:
Quicker Alert Triage
Security operations (SecOps) teams are responsible for dealing with a high volume of security alerts daily. The alert remediation process largely depends on the analyst's ability to understand the alert they encounter. Threat intelligence provides context to quickly triage alerts, determining which ones pose a real threat and which can be safely dismissed.
For example, a SecOps team may receive an alert that a new malware has been detected on the network. The SecOps team can use a threat intelligence service to learn more about the malware, such as its capabilities, targets and known indicators of compromise (IOCs) to then implement adequate security measures.
Proactive Threat Hunting And Remediation
Threat intelligence is useful for proactively hunting threats and remediating them before they cause damage. For instance, a SecOps team can use threat intelligence to identify malicious IP addresses of malware campaigns targeting companies in their industry and block them from accessing their network, preventing any potential attacks.
Timely Vulnerability Identification And Remediation
Organizations can use threat intelligence to find new vulnerabilities in their software and systems. This information can then be used to patch the vulnerabilities and prevent attackers from exploiting them.
Challenges When Implementing Threat Intelligence
The successful utilization of threat intelligence requires a thorough understanding of potential challenges that may arise in the process and effective measures to counter them. These include:
False Positives
Threat intelligence solutions, particularly those that rely on automated algorithms, may generate large volumes of false positives, leading to erroneous flagging of legitimate events as malicious. These false positives can be caused by factors such as data inaccuracies, misinterpretations of threat indicators and oversensitivity of detection mechanisms.
To effectively address this issue, organizations need to implement a robust validation process that involves cross-referencing threat intelligence data with multiple sources and human review to manually filter out false alarms.
Limited Context
While external threat intelligence provides valuable insights into broad cybersecurity trends, it often lacks the depth and context needed for a comprehensive view of the nuance of different malware or vulnerabilities.
To better understand how various threats operate, security teams need to enrich their existing intelligence with the results offered by additional tools.
Training
Successfully leveraging threat intelligence to enhance cybersecurity takes a team of proficient security personnel who can navigate the complexities of the ever-changing threat landscape and effectively manage threat data.
Although the training process is a multifaceted endeavor, developing a structured framework that outlines the processes for collecting, analyzing and utilizing threat intelligence can greatly facilitate it. This framework should align with the organization's overall cybersecurity strategy and risk management practices.
Conclusion
Organizations can only know so much of the threat landscape by understanding what happens within the scope of their company. In order to gain a broader view, an intelligence-driven approach pulls in insights from the broader community and the industry at large.
To succeed with an intelligence-driven approach, organizations should understand both the use cases and challenges of working with external sources and the requisite tools. If done correctly, the organization can better barricade itself from the ever-rising swarm of cyber threats.
No comments:
Post a Comment