Johannesburg, 25 Apr 2019
The exchange and use of threat intelligence to identify potential cyber threats and protect the business against them has grown steadily since 2015, according to the Third Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way by Ponemon Institute.
However, the study also revealed barriers to the use of threat intelligence, which may be hindering its adoption rate and efficacy in countering cyber attacks. Firstly, companies are wary about who they share threat intelligence with, and secondly, they're often unable to efficiently process the large quantities of threat intelligence data that they acquire.
Jim Mozley, EMEA Strategic Engagement Team Manager at Infoblox, says in order to effectively use threat intelligence to prevent or minimise the impact of cyber attacks, companies will require appropriate instrumentation, monitoring and logging, with data being stored in such a way that it can be searched and correlated.
Mozley says: "It's also essential to ensure that the data is stored for an appropriate retention period, and synchronising these will be important. There will be data gaps if data from one source is retained for 90 days, while the retention period for another source is only 24 hours."
Teams within the organisation must co-operate and communicate around threat intelligence, he continues. "For instance, network operations teams will have access to data that is required for threat hunting, or they might notice an event that's of interest to the security team. This type of information has to be shared in order for any threat hunting activities to be effective."
He cites the example of DNS (Domain Name System) queries: "Organisations should retain DNS queries and responses for forensic purposes. Applying this to threat hunting might involve, as one example, reviewing DNS queries by removing internal domain name queries and common external domains (Alexa top N). The remaining domains could be of interest from a threat hunting perspective."
The processing of large volumes of data, such as DNS queries, will benefit from the use of machine-readable threat intelligence to automate some aspects of the hunting process. "This is more likely to find the 'known unknowns', such as identifying a threat that is known to the curator of the threat intelligence but not the organisation using this to hunt threats."
An example of this might be reviewing DNS queries for domain names associated with domain generation algorithms (DGAs) used by malware. By the definition of a DGA, these will be constantly changing; combining DNS forensics with appropriate threat intelligence will help an organisation automate one element of the threat hunting process. "As threat hunting is aimed at identifying threats that are evading existing security measures, this type of automation is in no way a panacea!" cautions Mozley. "It won't replace skilled analysts. Nor will it replace performing reviews of incidents to learn lessons and see where instrumentation and data collection could be improved."
"Any effective threat hunting initiative will rely on data from a well instrumented network and the accompanying threat intelligence collected from a variety of sources for analysis."
He concludes: "Security will always be a budget trade-off, where investment is guided by risk assessment. If you consider The Sliding Scale of Cyber Security, Robert Lee puts forward five categories of security measures: architecture, passive defence, active defence, intelligence and offence, ranked in order of investment. Threat hunting is at the more expensive end of the cost scale, but if this is used to drive improvements in architecture and passive defence, it will provide a return."
Share