The concept of cyber threat intelligence is really not much different from other areas of the intelligence field. In national security, intelligence gathering techniques seek to detect potential situations and draw conclusions that enable people to take action before anything serious occurs. Similarly, cyber threat intelligence is only one tool in a complete security arsenal.
- What is threat intelligence?
- Stopping advanced persistent threats
- Advanced threat analytics
- Tools and products
Used well, threat intelligence can warn companies that the bad guys are active inside their network and what they are looking for – the kind of "advanced persistent threat" that can cause great damage to an organization. Threat intelligence points out unusual patterns to look for in systems and other valuable data. But it won't stop an attack. That takes human intervention and the deployment of the right technology tools to block or at least mitigate an attack.
But as time goes on, the potential threat vectors are multiplying: servers, desktops, laptops, mobile devices, and now the Internet of Things (IoT), which could open enterprises to attacks via innocuous objects such as thermostats and a myriad of other devices that contain sensors and processors.
"Every device large or small becomes a source for cyber threat intelligence," said Peter Tran, senior director of Worldwide Advanced Cyber Defense at RSA Security. "With the Internet of Things projected to grow to over 50 billion connected devices by 2020, there is a real challenge ahead in terms of structuring effective threat analysis across massive volumes of smart connected devices."
One of the problems of the modern IT security world is the quantity of labels used to describe a technology. There is threat intelligence, advanced threat detection, and security analytics, to name a few. So what is it exactly?
"Cyber threat intelligence can be defined one way and another will define it differently, depending on who is using it and what solutions they provide," said Sheldon Hogarth, vice president of Business Development at Massive Alliance.
Hogarth prefers to exclude internal threats and focus on what's being initiated outside of the digital infrastructure. His company, for example, offers hacker monitoring, Dark Web monitoring, chatter interception, threat actor profiling, track and capture, data dump analysis, malware testing communities and black market observation.
So let's attempt to define what cyber threat intelligence includes and what it doesn't.
Brian Jack, chief information security officer at KnowBe4, breaks it down into its parts:
- Cyber – anything related to computers and the internet
- Threat – people or things likely to have intent to cause damage
- Intelligence – acquiring and applying knowledge or skills. Intelligence can also be defined as the collection of information of value
"Cyber threat intelligence is the collection and application of relevant and valuable information relating to cyber threats," said Jack. "Analytics may take intelligence as an input and give you more valuable intelligence as output."
Detection methods then make use of intelligence, and based on determination and classification of data, could result in additional intelligence. But detection is a different field of security.
Others favor a stricter definition. Jacob Williams, founder of Rendition Infosec and a SANS Institute security instructor, insists that it is all about applying the standard intelligence lifecycle to the cyber domain. That means, he said, using intelligence collection, processing and exploitation, analysis, and dissemination to gain insight about threats to the organization that exist in the cyber domain.
"If you're not using models (like the cyber kill chain and the diamond model) and processes (like analysis of competing hypothesis), then you're not doing good cyber threat intelligence," said Williams.
Free Security Resources
Detect and Investigate Malicious IP Activities in SIEM with Predictive Threat Intelligence
You already know how good Splunk is at correlating and analyzing operational data. But did you know that when you combine real-time, predictive threat intelligence with your IP logs, Splunk can actually alert you to perimeter attacks and accelerate the discovery and response to advanced online attacks?
- Continuously monitor and analyze over 4.3 billion IP addresses and affiliated IPs, URLs, files and mobile apps for highly accurate, actionable, real-time intelligence
- Identify IPs with a history of malicious behavior and predict which IPs pose a greater risk of a future attack
- Integration is fast, easy and will help your SIEM deliver greater depth and security insight into threats than you ever imagined possible
He said that as so much of this area is analyst dependent, it is critical to use structured models to show academic rigor. Structured models also improve process standardization across teams.
The point is that threat intelligence is not just about buying a subscription into one of the many threat indicator feeds and applying those indicators in your environment. While that is part of the overall function, Williams said cyber threat intelligence is about applying the entire intelligence lifecycle.
Cyber threat intelligence is no panacea for all security ills. But it is particularly useful for advanced persistent threats (APTs). These are attacks where an unauthorized individual gets inside and sits tight for some time. This person wants to remain hidden, and gradually initiate an attack that steals sensitive data or gains access to funds.
"APT attackers have a high dwell time in networks and tend to reuse tools across intrusions," said Williams. "By observing the data from an intrusion in one organization's network, another organization can benefit by searching for those same indicators of compromise (IOCs)."
Short lived, drive-by style attacks (like ransomware), on the other hand, probably won't benefit as much from advanced threat analytics. Why? Attackers know that security software will move to block malicious IP addresses and domains quickly. So their campaigns with any specific malware variant are generally measured in short time periods – as little as minutes to hours. Cyber threat intelligence can't move fast enough to operationalize this data in most cases.
Regardless of the nuances of definition, there are certain key elements of a successful advanced threat detection program. These include:
- The ability to rapidly extract text-based content from chatter, publications and data repositories across all open source locations, TOR, I2P and data warehouses.
- Strong machine learning and filtering capabilities to sift through millions of pieces of data simultaneously and in as many languages as must be covered.
- Quality control and removal of false positives.
- Human Intelligence support to rapidly engage, verify and clarify a threat once detected through automation. This is where the skilled analyst comes in.
- Integration with a wide variety of popular, established security platforms such as Security Information and Event Management (SIEM).
Automation and information sharing, then, are vital components of the technology.
"Automated mitigation functions like process stopping, user quarantining and IP blocking come in the form of orchestrating processes which support threat investigation and hunting," said Joseph Blankenship, an analyst at Forrester Research.
The sharing side is one that is certainly gaining traction. One recent survey found that 76 percent of IT security pros believe that threat intelligence sharing is a moral responsibility.
Blankenship said this cooperative sharing has risen from necessity. Managed security service providers (MSSPs), for example, often talk about the "neighborhood watch" benefit of their services. The idea is that if they observe malware or malicious behavior in one customer, the MSSP can develop detection and protection for all of their customers to block the threat. Similarly, threat intelligence sharing services and feeds provide greater visibility into the threats that individual companies are seeing. And vendors are opening up their platforms for bi-directional data sharing via APIs.
"This reduces the analyst workload, making it faster for security pros to take action," said Blankenship.
For an in-depth look at the threat intelligence market, see top 8 threat intelligence companies.
Indicator feeds and threat intelligence platforms (TIPs) form the backbone of threat intelligence operations. Threat indicator feeds amount to the actual threat data (malicious IP addresses, domains, file hashes, etc.) that the threat intelligence team will consume from external parties and search for in their own network. The TIP, on the other hand, is a software platform for analyzing these threat feeds. Some TIPs can help analysts enrich data through transformations (such as automatically obtaining registration data for a malicious domain).
"Threat intelligence platforms take advantage of security technologies such as SIEM, log management, identity and access management, security and vulnerability management, incident forensics and others," said Mohit Shrivastava, information security analyst at MarketsAndMarkets.com.
Some of the products in this field are:
- IBM X-Force
- Anomali ThreatStream
- Palo Alto Networks AutoFocus
- RSA NetWitness
- LogRhythm Threat Lifecycle Management
- FireEye iSIGHT
- LookingGlass Cyber Solutions
- AlienVault Unified Security Management
FireEye believes the goal is not only to spot and block incursions but to reduce overall security risk. This means it must be addressed tactically, operationally and strategically.
"True cyber threat intelligence enables better strategic decision making, reduces operational chaos, and expands the effectiveness of your broader security infrastructure," said Nick Rossmann, FireEye iSIGHT Intelligence Senior Manager for Production.
He advocates TIP, security orchestration and SIEM as essential support elements to cyber threat intelligence. Security orchestration builds intelligence into a workflow that drives an intelligence-led security practice, making it the default method of handling cases and incidents. This cuts down on confusion and risk by automating the addition of context and prioritization. SIEM backs this up via the correlation of intelligence with alerts across the network in order to facilitate the detection and understanding of security events.
"TIPs enable an organization to aggregate and merge multiple threat intelligence sources into a single place, then feed that intel into their different technology systems," said Rossmann. "They also provide a method to pivot to related intelligence from an alert and provide metrics on how those different sources were used in your environment."
Open source threat intelligence
Although there are many proprietary threat intelligence platforms available, Shrivastava noted that security vendors such as Palo Alto Networks, AlienVault, and Anomali offer open source threat intelligence tools. Tran of RSA concurs.
"The technology backbone for cyber threat intelligence doesn't rest with just one solution but can be a mix of open and/or proprietary sources," said Tran.
Williams goes so far as to recommend that organizations try an open source TIP before investing in a commercial offering.
"Find out what features you really need, what you don't, and then shop for a platform," he said. "Focus on people and process first and then adopt technologies that effectively augment their workflow."
Avoid technology overreliance
Study after study points out that too many organizations are over reliant on threat intelligence tools or feeds and lack the in-house skilled security analysts and data scientists to effectively harness the information. As a result, most enterprises fail to use threat data effectively to pinpoint cyber threats.
Advanced threat detection, then, must encompass cyber threat intelligence training, as well as the hiring of top talent.
"Cyber threat intelligence must be supported minimally by certified data analysts who are familiar with a wide range of open source investigation tools, data logic and investigatory skills," said Hogarth. "The goal is to view and intercept threats in near real time by seeing them through the threat actor's eyes."
His company, Massive Alliance, has all its senior analysts certified through UK's MI5. Williams of Rendition Infosec advised those seeking to improve their advanced threat analytics effectiveness to look for security and technology certification, academic rigor and real-world results.
"Just as a good rifle makes some soldiers deadlier than others, so do cyber threat intelligence tools," said Williams. "Technology enables the mission, but people and process make it happen."