Threat Intelligence – Worth and Use

Businesses must be online today. Consumers and businesses need to be able to interact with your business quickly and efficiently… no one has the time to fill out the cheque book anymore.

When you allow users to do business with you online, you expose your business externally. This is a great thing, customers can purchase things online, find out about what you do, allow for greater understanding of your capability and delivery options.

There is a nastier element though in that you allow access when you expose your business online. This could come in the form or phishing, malware, ransomware, DDOS, reputational attacks, spoofing and more.

Each one of these attack types can be mitigated, there are plenty of mitigation techniques such as signatures, pattern matching, heuristics and more to minimise these impacts. The vendors in market offer great products to mitigate these items although you are completely reliant on the vendor to provide the related updates/upgrades available to make sure this occurs. What happens when there are no updates/signatures available?

Everyone seems to forget that these threats all come from somewhere… this is what is known as a “Source” … simplistically, if you were to stop this source from communicating with your business, you are likely to stop the threat. Whilst this is only true in a few circumstances… understanding the source and it’s reputation is important to understanding the potential chance a “source” can turn into a threat. This is where threat intelligence comes in handy.

With a threat intelligence overlay, your organisation can understand the potential risk of a source impacting your business and allows you to make informed decisions on whether you should enact mitigation options or not.

Stopping the source is the fundamental core of short term mitigation (internally or externally) to minimise the impact of a threat to your business. Threat intelligence allows you to reputationally score that source as it start to interact and allows you to validate whether to stop something or not.

So, is it worth it? Yesto a point…. Threat intelligence is a supplemental aspect to active security monitoring and Policy Management. It will identify bad actors for reconnaissance work and may allow greater understanding of an external actor and common threats. It won’t assist you in targeted attacks, although if there are key markers used within targeted attacks, it may help identify some of the mechanisms within the attack.

The key players in the threat intelligence community are ganging up, IBM X-Force and Cisco Talos have recently teamed up on threat intelligence to allow their customers to identify threats and their related sources before they impact the business.  In addition, X-Force provides free access to their X-Force exchange to allow for manual tracking of threats and concerns.

Adding threat intelligence data feeds via API into your relevant security controls gives you visibility into a variety of data incorporating vulnerabilities (known and unknown), hash values, advisories and allows you to reduce incident detection times and potentially mitigation timeframes.

To find out how threat intelligence works and understand how you can get on top of your short-term mitigation, contact us for more information.