Threat Intelligence - Friend of the Enterprise | Optiv
November 08, 2013
Threat Intelligence: What is it, how do I get it and how do I use it?
Many organizations know that to protect their resources, they need to have the people, processes and technology in place to do so. However, many of these same organizations do not understand the impact that applicable Threat Intelligence can have on their environment.
So, what is the effect that Threat Intelligence can have in assisting to secure the enterprise? To answer that question, an organization needs a comprehensive understanding of what Threat Intelligence is beyond external “feeds.”
To start with, Threat Intelligence is the gathering of information or raw data that has been analyzed for its usefulness and applicability to the friendly or hostile environment and disseminated to those in need.
While it is useful for an organization to have external feeds fed into the security program, what does that information truly provide the enterprise? Is the feed truly applicable to the organization? This type of regurgitation of information is most often no more useful than the 24-hour news cycles one finds off of cable news. Sure, it’s good to know, but what can I do with it?
Now, when that information is analyzed, in corroboration with in-house data taken from all of the differing network security solutions and devices, it can be used to provide localized threat identification, assist in remediation and countermeasures for critical infrastructure and enhance overall security posture for the organization.
Further, we need an understanding of traditional intelligence and how the threat environment has been changing.
Intelligence Across Historical Domains
Post World War II, the intelligence apparatus was centered on the Soviet Union and its allies in what became known as the Cold War. At this point in time, there was a concentration of efforts at the strategic level. Efforts focused on the nuclear arms race, large-scale force-on-force conflicts and strategic targets of high populations. As the Cold War was coming to an end, the focus of intelligence efforts shifted to that of counterterrorism. The use and methodologies of intelligence analysis has evolved over the past 20 years, with attacks against the World Trade Center in 1993, embassy bombings in Africa, the attack on the USS Cole, the September 11 attacks and the subsequent 12 plus years of conflict in the Middle East. During this time, targets of intelligence efforts evolved from strategic placement of forces and weapons to the tactical approach of targeting individuals, small cells and networks.
Weaponry has shifted from ballistic missiles to small arms, and targets of attack are no longer large scale, force-on-force confrontations, but soft, often not defended targets of opportunity. With this shift, the intelligence effort has also moved from large, conventional, uniformed forces to increasingly autonomous and anonymous small networks or cells.
In the same way the counterterrorism effort is focused on individual trends and incidents, so too is the cyber front. Intelligence gathering efforts are focused on individuals, cells, networks and states with information warfare capabilities. Perpetrators are anonymous and have to be identified via their tactics, techniques, and procedures. The targets of attack can be either opportunistic or implicitly targeted based on the intent of the attacker and can range from insecure workstations, entire networks, websites, servers housing proprietary or sensitive data or critical infrastructure.
It is within this realm of intelligence analysis that organizations can benefit by having a Threat Intelligence capability that is able to research, analyze and produce actionable intelligence to enhance the security of the enterprise, combining both external, commercial feeds and corporate data analysis.
In the Art of War, Sun Tzu writes, “If you know the enemy and know yourself you need not fear the results of a hundred battles.” Threat Intelligence is the one factor in a security program that can accomplish both of these requirements.
To start, an organization needs to know itself. This can be done in an intelligence-driven process known as Intelligence Preparation of the Battlefield (IPB). IPB, according to Army Field Manual FM31-130, is a systemic, continuous process of analyzing the threat and environment in a specific geographic area. Its applicability to Threat Intelligence is to identify high-value targets, both personnel and hard assets, or an organization’s critical information assets.
Conducting periodic security assessments and structured vulnerability scans and proactively monitoring social network accounts and content disclosed on them allows for the identification of vulnerabilities against critical infrastructure and how the organization might fair against social engineering attacks.
This information is useful in establishing the digital footprint of the organization, as well as being able to provide hardening against the discovered vulnerabilities. The strength of an organization’s security posture relies upon the intelligence it has about its own network and environment to counter the threats and vulnerabilities that exist.
For a Threat Intelligence capability to be effective, there needs to be the functional fusion of intelligence and operations, which can only be accomplished through communication. Channels of communication should be opened up to internal IT staff, the executive staff, the user base and external sources. Enhanced communication allows for greater collection of information and data, more in-depth analysis and trusted dissemination.
Direct communication to internal IT staff allows for the intelligence function to gain critical data on successful and attempted exploits, gathering data on attacker’s tactics, techniques and procedures, while also providing assistance with remediation and the hardening of attacked or exploited assets.
Additionally, by having a conduit to executive staff, knowledge of upcoming shifts in operations, personnel and locations can be captured and a strategic assessment of how this could affect the threat footprint can be accomplished. For example, if a new product is being designed or a new location is to be opened, there are several different threats that can expose the corporation to espionage or geographic specific threats. These threats can be predicted, and countermeasures can be processed and disseminated to dampen the likelihood of compromise.
The insider threat is one that exists in every organization, regardless of size or the scope of the security program. By leveraging Threat Intelligence and having open lanes of communication between the user base and the intelligence organization, it allows for enhanced training and situational awareness through security alerts and bulletins as current and emerging threats are discovered.
Finally, the Threat Intelligence function should have access to external sources for information sharing and research purposes.
The intelligence function of an organization - whether traditional military intelligence, business or competitive intelligence or cyberthreat intelligence - should be based on a repeatable process known as the intelligence cycle.
The four elements of the intelligence cycle are requirement, collection, analysis and dissemination. This tried and true process is applicable throughout any intelligence effort.
- Requirement - a question that needs an answer or a need by an individual or organization.
- Collection - the process of gaining the information or data needed to answer the requirement. This is the research conducted via various sources of information, both internal and external, that brings back that raw data.
- Analysis - digging into that raw data or information that has been collected to determine if it is applicable to the organization or environment. It is the analysis that corroborates the data and delivers actionable recommendations to be implemented or carried out.
- Dissemination - This analysis is useless to the enterprise if it is not actionable and easily disseminated to those that can act against it.
Proper dissemination of actionable intelligence is the aspect that provides the most usefulness to the organization and is what truly enhances the security posture of the enterprise. Threat reports of known bad actors and their tactics, techniques, and procedures can lead to enhanced protection prior to an attack or quicker identification, mitigation, remediation and recovery if an attack is occurring.
Researching, compiling and disseminating lists of malicious sites and IPs that can be added to security and monitoring tools will allow for proactive hardening of the network and infrastructure. Performing analysis against historic network traffic and security incidents can lead to the identification of persistent attacks against the enterprise and provide for predictive analysis on what the enterprise might be facing in the next 60-90 days.
To push this actionable intelligence to the proper people, there should be an open repository for finished intelligence products to be placed and accessed by the security organization, such as a portal or internal web page. Company-wide distribution lists should be created to push security alerts and bulletins to the user base in a quick and efficient manner.
Intelligence has been a key component used to combat threats and adversaries since warfare began, and the information security battlefield is no different. As threats have evolved and as the information age has expanded, the need for Threat Intelligence beyond a generic feed is of utmost importance for the overall protection of the enterprise.
With a well-established Threat Intelligence component incorporated as part of the security program - one that can communicate with all aspects of the organization and provide analyzed, actionable intelligence to those in need - the enterprise need not fear the result of a hundred battles.