Although threat intelligence is by no means a revolutionary or new concept, many organisations still do not implement it internally. Armed with a good understanding of and assisted by the application of threat intelligence, companies can prevent intrusion attempts and better safeguard their network and data.
Threat intelligence refers to information about potential adversaries and their behavioural patterns. It is created when a series of pieces of raw data are analysed to give a more complete image of the big picture/activities occurring within your business landscape. Effective threat intelligence will help you determine not only where an attacker has already been in a network, but also where he/she is likely to go and how he/she will get there.
"Raw data without intelligence is of limited value to assist in the mitigation of risk," states Gregory Anderson, country manager at Trend Micro South Africa. "To detect an adversary in a network, an analyst needs to know what to look for, which is where threat intelligence comes in to play.
"Once an attacker infiltrates a network, understanding his/her tactics, techniques and procedures (TTPs) can spell the difference between quick successful detection and years of undetected data exfiltration. It is this difference that confirms the necessity of threat intelligence," he says.
An organisation can obtain external threat intelligence in two ways - partnering with a threat intelligence provider or utilising automated software. Threat intelligence providers have skilled employees who understand threat actors and TTPs, and typically provide their clients two deliverables - reports and feeds.
Reports typically focus on a single subject while feeds are sources of data that can typically be included in automated network defences. Supplied by security vendors, enterprise-quality products are kept updated with the latest threat indicators that can also help protect networks.
Whether an organisation contracts a vendor or not, if it has the opportunity, it should still set up its own internal threat intelligence group (ITIG). An organisation's ITIG will be responsible for monitoring the Web for any reference to the company and for researching any group or "actor" they believe may be a threat.
Another way to thwart network intrusion is through penetration testing. If an organisation is not part of an industry that is required to conduct regular penetration tests, it should consider doing so. Penetration testing can help identify areas in the network that need to be improved and patched.
"Today, business needs to be one step ahead of attackers, putting systems in place that not only clean up the mess they leave in their wake, but that are able to prevent their entry all together. Threat intelligence is one of these areas where we can play an active role in curbing threats to our business and at the same time ensuring we are able to keep closer guard of our data," ends Anderson.
Share