Posted March 1, 2016
Threat Intelligence is a hot term in the cyber security industry. However, like many cyber-related terms, there is no one clear-cut standard definition. As a result, threat intelligence can mean many things to many people. For some, threat intelligence is the collection of technical indicators of compromise (IOC). These IOCs are data points that if observed within a networked enterprise, usually but not always signify that there is a compromise. Typical IOCs could include virus signatures, MD5 hashes, malicious URLs, IP addresses, or command and control (C&C) servers used by hostile actors in support of their activities. However, threat intelligence can also be contextual in nature, providing insight into the threat actors behind the operations, which can include actor names and handles, actor-affiliated groups or organizations, intent, capabilities, target history, and any formal or informal connection to a foreign government.
We define threat intelligence as the combination of technical and contextual information regarding existing or emerging threats from all available sources. It has been evaluated and analyzed for accuracy, timeliness, and relevancy, and implemented among an organization’s tactical, operational, and strategic stakeholders.
The threat intelligence process feeds into all aspects of an organization’s security posture to include detecting and mitigating advanced and not so advanced threats; developing security strategies; improving security practices against those threats likely to target the organization; and responding to and remediating breaches into the network. The increasing popularity of threat intelligence is such that it is expected to be worth $5,860.5 million by 2020, with a compound annual growth rate of 14.3 percent from 2015 to 2020, according to recent market research.
Despite a fast growing marketplace and myriad of literature advocating the importance of threat intelligence, there are some who point out that for enterprises to be able to use threat intelligence in a useful way, some obstacles must be addressed and overcome. Knowing that a threat looms near is just one part of a more complex problem. What to do about it is where organizations find themselves in a quandary. According to one security professional, in 90 percent of cases he was involved with, most companies were not able to take advantage of cyber intelligence information. In many instances, businesses do not have the capacity to stand up cyber intelligence groups within their own organizations to consume and implement various data feeds. Given that there are approximately 50 million U.S. businesses, many of them small-to-medium sized (SMBs) with limited resources, this is a stark reality. Compounding problems is the lack of talented information security professionals to go around. One 2015 survey conducted by the SANS Institute found that demand for cyber security tools and resources doubled since 2014, but that a dearth of skills to implement them remained a challenge.
As threat and data feeds become more streamlined and offered in feeds to consumers, there is a tendency for these feeds to be too information technology (IT)-focused. For those organizations who are unable to operationalize such information, this type of data may not be immediately actionable for their needs. In a time of merged operations and a convergence of tactics, tools, and procedures (TTPs) leveraged by a diverse threat actor set, cyber security must be viewed beyond the narrow confines of technical threat intelligence in order to be better leveraged holistically by multiple functional areas within organizations. Specifically, threat intelligence can and needs to play an important role in an organization’s overall risk management strategy.
Risk management is the identification, assessment, and prioritization of potential threats that impact an organization. A comprehensive risk management approach takes into consideration both virtual and man-made events that could impact an organization’s business operations. Perhaps most importantly, risk management helps an organization identify the key information assets and accesses that are critical for the enterprise to operate. Cyber threat intelligence plays an important contributing role in this endeavor as most, if not all, organizations regardless of size and global footprint rely on technology to facilitate their business operations. In addition to providing information assurance and computer security vulnerability information, cyber threat intelligence can inform the decision maker of the types of actors that might be interested in the organization, draw attention to the latest vulnerabilities, look at their past histories to conclude likelihood and probability of future targeting, and review their TTPs to ascertain current capabilities as well as projected capabilities over time. This information can then be leveraged and updated over time keeping pace with threats as they evolve, and can be periodically reviewed and applied accordingly.
Moreover, cyber threat intelligence can ultimately fuse with other security threats such as physical risks and human factor elements to provide a holistic risk profile for an organization. Senior leadership is best positioned to implement risk modeling to determine the likelihood and probability of the risks the organization faces. By determining risk and whether it needs to be avoided, transferred, or accepted, the decision maker is able to appropriately and proportionally allocate fiscal, material, and personnel resources. This risk management process achieves many important security objectives:
- It provides information to the decision maker who may have to prioritize how his/her organization’s resources and budget are allocated for security purposes.
- It may have direct influence on how much of the organization’s budget is ultimately devoted to security.
- It provides a quantifiable metric as to the potential financial consequences if risk is ultimately assumed and realized.
Factors like safety, business operations, investment, customer reaction, and public perception have made organizations more aware of the need to identify and measure risk. The cyber component is no different. Even if organizations cannot operationalize volumes of IOCs and threat-related data, they can leverage the more contextual information to inform how they should address the digital risks to their cyber security postures.
This knowledge feeds into how an organization develops strategies to better bolster its overall resiliency as physical and digital risk play synergistic roles in putting key organizational elements such as brand, intellectual property, and network security at risk. Understanding all aspects of the threat environment and evaluating them against the enterprise will help organizations not only understand the nature of the threats they face, but also help them identify their own vulnerabilities, and devise tailored solutions to reduce their exposure.