Keys to effective Cyber Threat Intelligence
Only halfway through 2017 and there have already been a number of significant cyber security incidents reported across the globe. From the WannaCry ransomware attack in May to the Peyta incident in June, as well as targeted attacks on corporations and government agencies, securing your organization’s networks is more critical than ever.
Timely threat detection via accurate threat intelligence feeds are key to thwarting hackers and play a critical role in averting cyber attacks. A threat intelligence feed is an ‘Real Time’ stream of data related to potential or current threats to an organisation’s security. It includes data such as IP blacklists, malicious and phishing URLs, vulnerability lists, and command and control domains used to orchestrate attacks.
Hackers use similar methods to breach different organisations, so a threat intelligence feed gives insights into possible identities of hackers, the methods they use, and the networks they are targeting. It allows security experts to predict future threats and establish countermeasures to protect systems.
However, to set up the proper measures and avert an attack, organisations need more than just threat feeds; they need true contextualized, actionable threat intelligence.
Moving from Threat Data to Actionable Intelligence
Without properly analysing, processing, and contextualizing a threat intelligence feed, organisations are simply collecting data. Since there are tons of information available via various feeds, you need to ascertain threats specific to your organisation.
Properly contextualising threat data requires a broader perspective on threat intelligence. Effective threat intelligence examines an organisation’s total attack surface, taking into account the industry, location, internal software and networks, vulnerabilities, physical threats to personnel and property, third-party vendors, brand reputation risks, and customer goodwill.
Once threat data is analysed in context of a specific organization’s threat surface, it needs to lead to decision makers taking the best form of action. Data with analysis and context becomes actionable information, and once it is actually able to be acted upon, only then does it become intelligence.
Those actions can be something as simple as handling a surge in traffic, reducing risks, focusing defenses in the right places, or setting up countermeasures to throw attackers off course. If proper orchestration is also in place, mitigation enabled in the network fabric can then block, sinkhole, or even modify the traffic being sent back to the attacker to spot data loss before it happens or even mislead the attacker through intentional misinformation.
Integrating Threat Intelligence
Choosing a threat intelligence provider is an important process. Many organisations don’t take the time or follow the proper process and end up with a supplier that isn’t the right fit. Below are three valuable tips to help you to select the right partner.
- Experience Matters
While there are many new data feeds popping up and new companies entering the threat intelligence market, organisations should take a critical look at the track record of potential suppliers. Organisations should only consider providers with established histories, credible references, and effective security. Brookcourt Solutions has a proud track record of helping large and small corporations protect themselves from cyber threats for the last 12 years.
- Consider Integration
Organisations must consider how they’ll integrate a threat intelligence platform into their security infrastructure. Companies waste time and money by purchasing feeds before knowing how to integrate them. Working with a provider that has integration tools, performs integration for you, or provides a complete solution of feeds, software, and devices delivers more immediate protection and offers ongoing cost benefits.
- Choose Quality, Not Just Quantity
There’s a lot of noise in data feeds, and feeds that provide high volume but low-fidelity indicators can hurt more than they help. Make sure data feeds are specific with indicators at the URL level, not just the IP level so legitimate sites and traffic don’t get blocked, and security personnel doesn’t get bogged down with alert fatigue. Threat intelligence feeds provide valuable data to spot risks, forecast threats, and identify possible attackers. But for feeds to be effective at preventing attacks, it requires proper analysis based on context and specific actions to mitigate threats.