Security Summit: Know when, how to use threat intelligence
We need to be able to tell the story of threats, and provide information to people on how to respond, the potential damage of threats and how to mitigate these. Knowing when and how to use threat intelligence to support security operations and incident response is key.
So said Rebekah Brown, threat intelligence lead, global services at Rapid7, during her keynote this morning on "The art and science of threat intelligence" at ITWeb Security Summit 2017, at Vodaworld in Midrand.
Addressing a packed audience of over 900 security professionals, Brown defined threat intelligence as "analysed information about the capability, intent and opportunities of cyber threats".
"This gives us our threat spectrum. Without capability, you have an impending threat. Without intent, a potential threat. If there's intent and capability but no opportunity, it's an insubstantial threat."
Avoiding potential threats is about removing or limiting the opportunity, and this is where threat intelligence plays a role. "It allows businesses to take a more effective approach in the defence of their networks. Security solutions that alert or respond based on pieces of code or signatures commonly associated with malware don't work."
First step: data
So what is the process of threat intelligence? "Start with a question of your data, then review the information and develop hypotheses. Evaluate assumptions, make an analytic judgement ? this is not a yes or no, but a thought process. Use models like analysis of competing hypothesis, etc, but you have to follow an analytic process to see if it's likely to be correct or not. If likely to be correct, assign a confidence ? say I'm 90% sure, or identify information that would add to the certainty. Then record your results. If probably not the right path, still record your findings; it means your process is working."
Brown said this will include who is behind the attack, and what legal action could be taken, as well as how to identify attacker behaviour and put blocks in place. Threat covers the full spectrum from the goals and motivations of a hacker, what their capabilities and infrastructure are, and vulnerabilities that could be exploited, or via which vectors they could attack, she explained.
Collect, analyse, inform is the core of the intelligence process, noted Brown. "One of the key words in the definition is 'analysed', because a structured analytic process has to be applied to data before it can be considered intelligence. Then comes the questions of should we act on this? Can we act on this? And what exactly is this?"
According to Brown, the real value of threat intelligence lies in its context, as putting context on threat intelligence will allow businesses to make more informed decisions about what they're doing, how to allocate their resources. If you know an attacker is after credit card details, for example, you can focus resources on protecting that information, she commented.
With threat intelligence, an organisation can understand when an event is an isolated incident, or part of a bigger trend that might need more resources directed at it, she concluded.