The Power of Threat Intelligence
Digital business operations continue to rapidly expand and the threat landscape concurrently evolves in complexity and sophistication along with that growth. Cybercriminals are perpetually seeking out vulnerabilities to exploit, and the onus is on businesses to adopt proactive defence strategies to keep one step ahead. Among the most effective tools in our cybersecurity repertoire to help us do this is threat intelligence.
Threat intelligence constitutes the information that empowers organisations to pinpoint and comprehend potential threats to their systems, networks or even their products. This intelligence can be drawn from various sources, encompassing open-source intelligence, social media monitoring, and dark web analysis, as well as input from security researchers, cybersecurity vendors, law enforcement agencies, and other organisations. The insights gleaned from these sources help organisations anticipate potential threats, enabling them to design robust security measures to neutralise these threats before they can harm the business.
In scaling startups, threat intelligence can sometimes be relegated to the “nice-to-have” category, with other more pressing issues demanding immediate attention. However, the importance of threat intelligence has been elevated by the inclusion of ISO 27001:2022 Annex A 5.7. This Annex highlights the significance of threat intelligence, requiring organisations to not only collect and analyse information regarding information security threats, but also to demonstrate the use of that intelligence in taking actionable steps to mitigate potential risks.
Annex A 5.7 recommends that organisations establish processes for collecting and analysing threat intelligence, as well as for disseminating this information to relevant stakeholders across the organisation. Ensuring that threat intelligence is shared in a timely and actionable manner, and that it is integrated into the organisation’s risk management and security operations processes.
Why should we place such emphasis on threat intelligence?
Proactive Defence: As I’ve already alluded to, threat intelligence allows organisations to proactively detect and counter potential threats before they wreak havoc. By keeping ahead of the threat curve, businesses can respond to threats more swiftly and effectively.
Enhanced Risk Management: Armed with threat intelligence, businesses can develop a more nuanced understanding of the risks they face, and can then prioritise their defence efforts more astutely. This facilitates a more efficient and effective allocation of resources.
Optimised Incident Response: Should a cybersecurity incident transpire, threat intelligence can expedite an organisation’s response. Armed with a clear understanding of the threat, businesses can initiate the necessary actions to mitigate damage and ward off subsequent attacks.
Informed Decision-Making: Threat intelligence equips businesses with the necessary information to make well-informed decisions about their cybersecurity strategy. By scrutinising the data, organisations can identify patterns and trends, enabling smarter, data-driven decisions.
It’s crucial to underscore that threat intelligence isn’t a panacea. It’s simply one instrument in the cybersecurity toolkit and needs to be employed in tandem with other best practices, like vulnerability management, employee training, and incident response planning.
There are three key types of threat intelligence that can assist organisations in crafting a more comprehensive and effective cybersecurity defence.
- Strategic Threat Intelligence: This form of threat intelligence concentrates on high-level, long-term threats to an organisation. It’s used to guide decision-making at the executive level and is typically based on a wide array of sources like industry reports, government intelligence, and analysis of threat actors’ capabilities and motivations. Strategic threat intelligence aids organisations in identifying potential threats and prioritising resources to mitigate risks.
- Operational Threat Intelligence: This brand of threat intelligence is more tactical, focusing on the everyday security operations of an organisation. It assists security teams in identifying and reacting to threats in real-time by providing information about the latest attack methods, vulnerabilities, and indicators of compromise (IOCs). This type of threat intelligence can be sourced from security vendors, open-source intelligence (OSINT), and internal security logs.
- Tactical Threat Intelligence: This type of threat intelligence offers specific and detailed information about threats, often in real-time. It’s used by security teams to detect and respond to active threats and is typically based on sources like malware analysis, network forensics, and threat hunting. This form of threat intelligence helps organisations quickly identify and neutralise threats before they can cause substantial damage.
Strategic threat intelligence informs long-term planning and resource allocation, while operational and tactical threat intelligence empower security teams to detect and respond to threats in real-time. Moreover, frameworks such as TIBER-EU offer a structured approach to testing and enhancing an organisation’s cyber defences, helping to identify weaknesses and vulnerabilities that can be addressed through threat intelligence and other security measures.
In the European Union, the Targeted Improvements for Better Effectiveness and Resource Efficiency (TIBER-EU) framework already compels financial institutions to undertake regular threat intelligence assessments and utilise the information acquired to reinforce their cybersecurity defences.
The TIBER-EU framework, a brainchild of the European Central Bank (ECB), is designed to augment the resilience of financial institutions against cyber attacks. Under this framework, financial institutions are obliged to carry out “red team” exercises, essentially testing their cybersecurity defences against simulated cyber attacks. The aim of these exercises is to uncover vulnerabilities in the institutions’ cybersecurity defences, thereby assisting them in crafting effective mitigation strategies.
To truly harness the potential of threat intelligence, businesses must have a thorough understanding of their own systems and networks. They need to comprehend what assets they possess, their location, and their connectivity. This might seem like a daunting task, as almost every organisation grapples with it to some degree. However, this information is indispensable for efficacious threat analysis and response.
With the appropriate tools and practices in place, organisations can construct a robust, proactive defence capable of withstanding even the most sophisticated cyber threats.
Engaging with specialist threat intelligence companies can also be a valuable way for businesses to enhance their cybersecurity posture without building an internal dedicated team. These companies tend to offer a range of services, from collecting and analysing threat data targeted at your businesses industry, or right down to monitoring the hard to reach places on the internet for activity related to your specific business (think mobile application jailbreaks, sensitive product development codewords, co-ordinated DDoS attacks).
So where to begin, if you would like to learn more about Cyber Threat Intelligence, I completed a certification last year from MITRE ATT&CK Defender which gives you hands-on instruction. It covers how to take raw data, map it to ATT&CK, all the way through to making defensive recommendations. The course is free, although if you wish to take the associated certifications it is around $499 for membership for a year which opens up all of the Mitre ATT&CK certifications:
Free MITRE ATT&CK Defender (MAD) ATT&CK Cyber Threat Intelligence Certification
It makes sense to leverage the power of threat intelligence to secure our operations and protect our valuable assets.
In a future article I will dive deeper into what to consider when looking to engage with a threat intelligence partners and building an effective threat led security operations program.
You can also get started with exploring with your teams some good sources of threat intelligence for your products:
CISA’s Known Exploited Vulnerabilities Catalog
Palo Alto Unit42 — ATOMS (Actionable Threat Objects and Mitigations)