Threat intelligence benefits not fully understood

Cyber threat intelligence is a crucial link in the cyber security chain, says Adeshni Rohit, business unit manager for Cisco at Axiz.

“When done properly, it can help security teams defend their organisations against adversaries that are more determined than ever. By scrutinising these adversaries and understanding their motives, strategies and tools, organisations can build stronger, more effective cyber defences.”

According to Rohit, threat intelligence isn’t as well understood as it should be and CIOs don’t always understand its benefits.

“Sometimes, cyber security teams view it as a quick fix that will protect them from all threat actors, which is unrealistic. However, by equipping teams with the information needed to maximise prevention, detection and response, threat intelligence helps security teams remain one step ahead of attackers.”

Organisations can’t protect themselves if they are unaware of the threats they’re facing, she adds.

“In every major data breach we’ve seen in recent years, the organisations that fell victim had large security budgets and the best cyber security tools and solutions that money could buy. They had top security teams in place, with skilled and experienced individuals, and all the right procedures and protocols in place. But they were still hit, and hit hard, losing personal information of tens of millions of their customers.”

This is why she says traditional cyber security approaches are not enough, citing a Verizon report last year that revealed that a staggering 68% of data breaches take months to discover, lurking on the network, and performing reconnaissance to ultimately exfiltrate company data.

“Once this has happened, it’s too late. Using security tools that tell the business a breach has happened is one thing, but being proactive and harnessing the power of cyber threat intelligence is better.”

Rohit says threat intelligence optimises prevention and improves defences in the expectation of an attack.

“The right tools will employ technical indicators to block known bad IPs and URLs, and threat feeds are then automatically fed back into the security tools to update blacklists, access control lists, as well as patterns or signatures. This integration of threat intelligence into gateways, intrusion detection systems, next-generation firewalls, as well as endpoints, helps root out emerging and known threats, and defend against them automatically.”

There’s also operational threat intelligence, which she says behaves proactively, supplying details about emerging threats by identifying which attackers or threat groups will most likely target a business, as well as why and how this could happen. “Threat intelligence can help identify other early warning signs that could indicate a new threat campaign is being formulated.”

This gives security teams advance warning, allowing them to put measures in place, such as patching and updates, to close any security holes through which an attacker could crawl. “Another way they can prevent an attack is to keep an eye out for the creation of attack infrastructures, which are clear indicators that a new attack campaign is being created,” she says.

Threat intelligence also speeds up detection time, adds Rohit. “Threat-hunting is now being used to actively search for traces of incidents instead of waiting for security products to recognise anomalous behaviour and raise a red flag. Operational threat intelligence helps threat-hunting, but also provides a deeper insight into who might be going after the enterprise and why, giving security teams a better idea of which artefacts and traces to keep an eye out for. Moreover, understanding what might be motivating the adversary, and what their goal is, will narrow down which systems are most likely in the attacker’s sight.”

Finally, she says threat intelligence plays a crucial role in incident prioritisation, investigation and response, by lowering the number of alerts and false positives, so that security teams don’t waste time investigating false alarms. It also gives them the context and attribution necessary to help them prioritise responses and speed up investigations.