17 June 2020 – As a cybersecurity professional, your work is never done. In fact, I have read a University of Maryland study which quantified the rate of hacker attacks of computers connected to the internet – once every 39 seconds on average. As digitalisation accelerates on a global scale, cybercriminals are constantly coming up with new ways to exploit weaknesses in our IT infrastructure. In this context of unpredictability, can it ever be possible for an organisation to stay ahead of the cybersecurity curve?
A quick lesson in semantics on the term ‘stay ahead’ would suggest one of the major keys to a successful cybersecurity programme is to be proactive, as compared to reacting only when a cyber-incident occurs. To do this, having access to good threat intelligence is essential for any organisation looking to outsmart the cybercriminals.
Why is threat intelligence important?
Threat intelligence is a key component of any cybersecurity ecosystem. Gartner’s defined threat intelligence as an evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.
For those who are self-confessed data junkies, let us lay down some ground rules on threat intelligence before you get too carried away with the prospect of having unfettered access to facts, figures and statistics through your threat intelligence programme. Firstly, threat data is a value that is collected just by observation. On its own, it does not mean anything without any context. On the other hand, threat intelligence is the result of analysing data, which are translated into actionable insights that enable you to deploy solutions specific to the problem found, while strengthening a business’ cybersecurity posture at the same time.
Today, the threat landscape is evolving at a rapid pace, with the constant flow of data transmitted over the information highway. A shortage of skilled cybersecurity professionals in the field of threat and vulnerability assessment is also not something new to us as well. What this means for organisations is that in this age of shrinking IT budgets, there is an urgent need to be equipped with the right tools to decide what information is relevant and prioritise to whom they are relevant to.
Types of threat intelligence
While many managed service providers may claim to offer threat intelligence solutions, this can mean a whole number of things. First, let’s zero in on the four main types of threat intelligence – strategic, tactical, technical and operational – and while there might be some overlap between them, having a good understanding of their functions will allow an organisation to disseminate information to the right people.
Strategic threat intelligence
This type usually contains high-level analysis containing general and broad trends over time on how cybersecurity threats can impact a business for a non-technical audience who are usually the decision makers within an organisation. They are different from other kinds of threat intelligence in the sense that they usually come from open sources such as white papers and reports.
Tactical threat intelligence
Tactical threat intelligence refers to information on tactics, techniques and procedures (TTPs) of threat actors. Such technical information has a tendency to focus on the present, as people who are responsible for the security of their organisation’s IT infrastructure would need to understand how they might be attacked in order to come up with strategies to counter them.
Technical threat intelligence
Technical threat intelligence focuses heavily on indicators of compromise (IOCs) such as suspicious URLS or malware hashes.
Operational threat intelligence
Operational threat intelligence seeks to answer the questions of who, what, and how associated with a cyberattack.
There is some overlap with technical threat intelligence, since operational threat intelligence does
contain some element of technical information in terms of what attack vector is being used or the kind of command and control domain being used. However, other sources of operational threat intelligence can also be acquired from infiltrating the communication channels of threat actors, which will allow one to gain specialised insights to understand the capabilities of cybercriminals.
Building your foundation in real-time threat intelligence
Getting started with threat intelligence can be overwhelming, even for a seasoned IT professional. With so many threat intelligence service providers offering automated and aggregated solutions today, which would best suit your organisation’s needs?
Today, most managed security service providers are able to automate the process of delivering real-time aggregated data to you. As a starting point for any business looking to establish a good cyberthreat intelligence programme (CTI), this is an absolute must. However, the act of receiving threat data is insufficient on its own. The ability to provide original insights based on real-time data that can be translated into action is imperative for your organisation to be able to bolster its cybersecurity posture.
At Kaspersky, we offer organic threat intelligence content because of a combination of our Kaspersky Security Network’s global database, machine learning, and our own human powerhouse, our Global Research & Analysis Team (GReAT).
As an example, Kaspersky’s Threat Data Feeds are enriched with insights from our elite, internal researchers, GReAT. These 40+ cybersecurity experts stationed across the world possess expertise on threat actors, incorporating elements of tactical, technical and operational threat intelligence to provide actionable context such as threat names, timestamps, and resolved IPs addresses of infected web resources. Together, they can be used to answer the who, what and how questions which lead to identifying your adversaries, enabling you to make timely decisions specific to your organisation.
When it comes to making a case to your C-suite for more IT funding, having access to the latest cybersecurity trends to enable your organisation to make more informed strategic decisions. Our APT Intelligence Reporting can help you understand what are some of the cutting-edge threats in a comprehensive and practical manner, as well offer you insights into non-public APTs that are sometimes not publicly available.
While these examples are just some of the solutions we offer, they are good starting points for anyone looking to build a cyberthreat intelligence programme. As cyberthreats continue to evolve, so too will the functions of threat intelligence. The holy grail for any organisation, is to integrate strategic, tactical, operational and technical intelligence in a manner that will enable you to build a more secure environment to deal with your adversaries.