Threat Intelligence enables organisations to take a new approach in the defence of their networks. Traditionally security solutions have tried to alert or respond based on pieces of code or signatures associated with malware, all of which are trivial for a motivated attacker to change.
In addition, threat intelligence offers more information and context around the cyber criminals themselves, and speaks to their motivations and goals, the techniques they use, and who they typically target. This helps the security community to start addressing security based on those factors to support and augment overall security practices.
So says Rebekah Brown, threat intelligence lead, global services at Rapid7, who will be presenting on 'threat intelligence' at the ITWeb Security Summit 2017, to be held at Vodaworld in Midrand from 15 to 19 May.
Brown defines threat intelligence as "analysed information about the capability, intent, and opportunities of cyber threats".
"It is a short definition but it covers a lot, everything from the goals and motivations of an actor to the capabilities and infrastructure that are used and what vulnerabilities they exploit or attack vectors they use. One of the key words in the definition is 'analysed', because a structured analytic process has to be applied to data before it can be considered intelligence."
In terms of what the industry as a whole, and businesses in general, are doing wrong in terms of threat intelligence, Brown says there is a misunderstanding of threat intelligence in general, both how it is generated and how it should be used in network defence.
"We have a lot of threat data, and many different data points on attacks and one common problem is treating those discrete data points as intelligence when they haven't been analysed or validated. That type of data, when it is treated as intelligence, actually makes it more difficult to understand and respond to threats, rather than easier."
Moreover, she says there are many different ways that threat intelligence can be used in network defence. "It is not a one-size-fits-all approach. Intelligence can support incident detection, incident response, training and awareness, security architecture, and many other aspects of a security programme. There are different types of intelligence that will be most useful in the different applications."
So what should today's organisations be doing better? According to Brown, before implementing or purchasing any sort of threat intelligence, be it products, feeds, professional services, and suchlike, organisations need to understand what they are trying to accomplish and how success can be measured.
She says this will dictate which types of intelligence they need to focus on and will also help them understand whether or not things are being applied correctly so they can quickly correct their course if needs be. "There are many basic things that organisations can do that will help set them up for success, including things like developing a threat profile for the business and mining information from previous incidents to help understand the threats that they are facing."
Delegates attending Brown's talk will come away with a better understanding of threat intelligence, including how it is produced and the analytic process required to turn data into intelligence. "They will learn how to evaluate intelligence sources to find which ones will provide the most value to their organisations, and the different sources and methods required to apply intelligence to different aspects of their security program based on the threats that they are facing."
Share