How far is threat intelligence data vital to a successful and well-rounded cyber strategy?  

How far is threat intelligence data vital to a successful and well-rounded cyber strategy?  

As technology progresses, data breaches continue to skyrocket and this isn’t going to slow down anytime soon. It is predicted that by the end of 2023 the cost of cybercrime is going to hit just under £6.5 trillion. Acquiring threat intelligence data is a primary step in preventing cyberattacks and web scraping should be the method of choice for modern data-driven businesses. This is according to Andrius Palionis, VP of Enterprise Sales at Oxylabs.

Threat intelligence gives businesses the tools to defend their networks and protect their data. A well-rounded cybersecurity strategy uses threat intelligence to automatically receive cyberthreat data, enabling organisations to prepare action plans based on possible attack scenarios.

“Cyberattacks are growing in frequency, severity and sophistication as the demand for data grows,” said Palionis. “Common factors leading to data breaches include engaging third-party services, network operation risks, extensive cloud migration, increased system complexity and compliance failures. These data breaches not only damage the reputation of companies, but also cause severe financial distress.”

According to a recent IBM report, the average cost of a data breach is £150 per record. With an average size of 25,575 records lost per incident, a cyberattack has the potential to cost a business £3.92 million.

“This is a stark reminder that businesses of all sizes are at risk of a data breach and subsequent financial loss. As cybercriminals gain expertise and attacks become more frequent, companies risk facing serious consequences that may negatively impact customer trust.

“Companies must invest in threat intelligence to stay ahead of criminals and keep their data safe. In addition to investing in threat intelligence, businesses must implement a multi-layered security approach to identify and mitigate cyberthreats before they can cause damage. Strategies may include effective data governance and processing, careful planning, analysis and dissemination,” said Palionis.

Quality intelligence that is current and relevant has proven to be vital to the success of cybersecurity strategies. Cyberthreat intelligence targets identifies, manages and minimises cyberattacks by gathering information from across the web, including darknet forums and websites. Cybersecurity experts are adopting web scraping to obtain high-level insights and extract this important information from target websites.

Palionis continued: “Web scraping processes involve sending data requests to the target website server and extracting and parsing data into an easily readable format followed by detailed analysis. Cybercriminals attempt to escape detection by identifying cybersecurity company servers and blocking their IP addresses. To address this issue, data centre and residential proxies are being used to maintain anonymity, avoid geolocation restrictions and balance server requests to prevent bans.

“Managing threats and data processing can benefit significantly from effective data governance. By implementing key governance practices, businesses can create value, improve productivity and increase data safety.”

Palionis concluded: “Threat intelligence forms the backbone of an overall strategy that gives businesses the tools to defend their networks and protect their data.”

We asked the experts for their thoughts…

Jamie Collier, Mandiant Senior Threat Intelligence Advisor, EMEA, Google Cloud

Threat intelligence is a critical component of a well-rounded approach to cybersecurity. As attackers become more sophisticated and innovative in their methods, it is crucial for organisations to use threat intelligence to understand as much as they can about the threat landscape in order to best protect themselves.

Mandiant recently unveiled the findings of its Global Perspectives on Threat Intelligence report, looking at how organisations navigate today’s threat landscape. According to the report, despite the widespread belief among Middle East respondents that understanding the cyberthreat actors who could be targeting an organisation is important (94%), 83% stated that their organisations make the majority of their cybersecurity decisions without insights into the threat actors targeting them. These visibility gaps mean that defences may not meet their intended goals. By gaining a better understanding of attackers’ modus operandi, organisations can prioritise the right things and build a more proactive security posture against their biggest threats.

Mandiant’s report also found that 96% of respondents globally are satisfied with the quality of threat intelligence their organisation is already using, however, problems arise in how best to make that intelligence actionable. Nearly half of respondents (47%) cited one of their greatest challenges to be effectively applying threat intelligence throughout their security organisation.

Security teams are also struggling with the volume of threat intelligence data they are now collecting every day. A large majority (84%) of respondents in Mandiant’s recent report said that they are concerned they may be missing out on threats or incidents because of the number of alerts and data they are faced with.

To operationalise cyberthreat intelligence effectively and maximise the value from your investments:

  • Evaluate the data you rely on to ensure it is trustworthy, timely and actionable: A dependable threat intelligence programme must be built on solid foundations; these attributes are an essential starting point.
  • Understand active threats specific to your organisation and industry: Build up a clear picture of the adversaries, their motives and tactics, techniques and procedures (TTPs) to best adapt your defences.
  • Communicate with your stakeholders: Develop a regular cadence of feeding relevant intelligence to the right stakeholder group to drive optimal security and business decisions right up to the senior leadership and board level.
  • Prioritise resources to address what really matters: Leverage intelligence to understand what threats matter most to your organisation. Assess vulnerabilities and exposures, give them a risk rating based on criticality and then tackle issues in the right order.
  • Test your defences: Proactively test the organisation’s response to typical attack tactics from the adversaries you have identified. Validate your protection against these specific groups and measure improvements over time.
  • Take action: Leverage the threat intelligence across your security systems and processes to proactively protect against potential threats.

Alistair Thomson, Director of Product & Innovation at Adarma

I have never met anyone who says that threat intelligence isn’t vital to a successful and well-rounded cyber strategy. However, I have met quite a few that question the usefulness of what they get.

Most organisations will say that they appreciate the need for, or the value of, threat intelligence, however, they are often misguided in their application of it or are not able to use it at all. Often, when security practitioners use information obtained through technology and threat intelligence feeds incorrectly, the result is reactive, or out of context and isn’t based on an understanding of adversary tradecraft. This can render the intelligence irrelevant, or worse, cause harm, undermining the power of good threat intelligence.

So, perhaps the question should be: is good, relevant and actionable threat intelligence vital to a successful and well-rounded cyber strategy?

There are many pieces that make up the jigsaw puzzle of intelligence, just as there are a lot of moving parts in your cybersecurity operation. Threat intelligence looks different for every business depending on their size, geography and line of business.

We need to start with a key question – what are the use cases? Who is the intelligence intended for, how do they want to consume it and what is the desired outcome? When defining your threat intelligence mission, you should consider:

  • Who is the recipient of the intelligence and what are they trying to achieve with it? 
  • Do you need to identify gaps in your detection content or understand a new business risk?
  • Do your SOC analysts and the incident responders need improved intelligence to make better decisions?
  • Is the mission to understand vulnerabilities and attack paths in your attack surface to support prioritisation?
  • Is it to support you to have risk discussions, to review the business and cyber-risks in support of wider executive decision-making?

The answer to these questions leads to the definition of the type of intelligence required – strategic, operational, or technical. It powers the collection, processing and ultimately the dissemination of this intelligence in an actionable format to the desired recipient. When you start from the outcome and work back, you ensure that your people and processes can deliver, giving you the vital intelligence that powers your operation.

Good, actionable and relevant threat intelligence is vital to your cybersecurity; generic threat intelligence data is less so.

Christopher Duggan, Head of Cyber Threat Intelligence at Bridewell

Threat intelligence is the backbone of a successful and comprehensive cyber strategy. It enables informed business decision-making in an ever-evolving landscape. There are already a range of critical standards and regulations that underpin its importance, including the FCA’s Cyber Resilience regulations, NIS regulations, NIST 800-172, the UK Government Cyber Security Strategy and the latest addition, the UC Cyber Security Strategy.

These standards emphasise the integration of threat intelligence data into risk management, budgeting and detection and response. By utilising this data to understand the specific threat actors most relevant to a business, as well as their motivations and preferred tactics, techniques and procedures, organisations can significantly enhance their ability to detect and respond to threats.

However, effectively collecting and using threat intelligence can be challenging. Poor-quality technical indicators can generate excessive noise, false positives and an inability to detect real threats, limiting the true value of threat intelligence.

To overcome these challenges, a mature and efficient threat intelligence function must be underpinned by specialist analysts who work closely with a SOC to develop a complete picture of the threat landscape. This function leverages research, a threat intelligence platform and an automated and manual collection framework. By incorporating the latest intelligence, businesses can take a proactive approach to improving their cyber posture, which serves to guide their cybersecurity strategy and investment.

An optimised threat intelligence function will provide an automated feed of actionable intelligence that consistently identifies and blocks indicators of attack, thereby offering a significant amount of defence comparable to other security controls. To make sense of where threats lie, businesses can take advantage of regular reports and summaries concerning specific threats, such as malware, phishing, or infected external hosts.

When integrated with SOC-related services, a well-optimised threat intelligence function can maximise detection and response capabilities in line with intelligence findings. This function can also actively inform detection and blocking activities of active malicious threats in real-time, thereby minimising false positives.

Ultimately, cyberthreat intelligence allows organisations not only to understand their current threat landscape but also to anticipate future threats. To protect against emerging dangers, the incorporation of threat intelligence into cyber strategies is imperative. By doing so, organisations can prioritise their cyberdefence and remain protected against ever-evolving cyberthreats.

Chris Jacob, Global Vice President of Threat Intelligence Engineering, ThreatQuotient

To answer this question, I think we need to break down a couple of different components. Cybersecurity is synonymous with the older term Information Security, which is simply the defence of electronic devices such as servers, networks, mobile devices, etc. 

With this in mind, we can move on to Cyber Threat Intelligence (or CTI) which is the practice of developing an understanding of the threats facing those cyber systems a security team is tasked with defending. While this oversimplifies the process, I think it’s a good starting point. 

Where things get complicated is when we look at implementing CTI. There is no shortage of sources for threat data, including varying quality Open Source Intelligence (OSINT) and plenty of high-quality commercial sources. However, I believe that you can’t simply buy threat intelligence. You can buy threat data, but that only gets you halfway. 

To transform that threat data into practical intelligence, you must determine what subset applies to your enterprise. This is where I think most organisations struggle to find value. An overwhelming amount of non-contextual threat data just increases the number of haystacks you are searching through for that proverbial needle. This is overcome by implementing tools and processes that help you refine or contextualise that threat data to provide meaningful threat intelligence. 

Now we’ve reached this point, we can start to address the question of the value threat intelligence provides to a well-rounded cyber strategy. The short answer is that it’s paramount and its importance is increasing. There was a time early in InfoSec when you could take a ‘lock it all down’ approach to an organisation’s security, but those days are gone. In the days of SaaS, remote workforces and the ever-disintegrating definable ‘edge’ of the corporate network, security practitioners are forced to become more agile in protecting their systems while still allowing a business to function.

An understanding of the tactics, techniques and procedures of an adversary, which is what CTI aims to provide, becomes critical to successfully defending an organisation. Keep in mind that this isn’t a technology solution alone – policy and processes need to be developed to achieve the goals. In addition, CTI can’t be an isolated, siloed approach. The value needs to be realised by all areas of the security organisation.

Once the entire security organisation understands and buys into the process of threat intelligence and the importance of participating in that process, CTI becomes the fuel that powers an organisation’s defences.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive