Understanding Threat Intelligence: Seeing Beyond Indicators of Compromise
Threat intelligence doesn’t mean subscribing to multiple data feeds.
There is a lot of confusion and misunderstanding about what constitutes threat intelligence. Too often, threat intelligence gets misaligned with tracking a bunch of Indicators of Compromise (IoCs), and the underlying assumption is that a company has to be compromised, or in the process of being compromised, before it can take advantage of the intelligence. This is called post-breach threat intelligence.
In theory, indicators can be actionable, but as a general rule, this kind of intelligence is nothing more than a data feed and not scalable for many companies. The focus on IoCs creates noise in which only a small portion of the threat intelligence is applicable to your organisation.
Knowing which indicators to focus on first is just the beginning. Correlating all the subsequent events associated with that indicator – and recognising the pattern of what the attack looks like – is a challenge, without the staff and tools necessary to maintain such an operation.
Doing this is still not enough, as it only gives you an indication of the arsenal an attacker has – and may give you limited attribution capabilities. This does not yield you much, because you cannot run an operation to destroy said cyber arsenal – nor can you prosecute the attackers. This is better left to global government organisations already participating in these activities.
Taking Stock of Your Risk & Security Profile
A good enterprise intelligence operation must focus on how an attacker views your cache of security tools so you can either strengthen your weaknesses or even plant faulty information as decoys as part of a deception strategy. This all starts with a risk assessment, as it gives you the opportunity to prioritise your actions based on what will have the biggest impact into thwarting those hostile intelligence operations against your infrastructure and people.
With the risk assessment in hand, the next step is to obtain an external view of your digital footprint. In other words, who are your suppliers, clients and partners that can be targeted and create additional risk for your organisation? Who can be targeted and cause harm, to not only your company, but everyone connected to you?
Lastly, you must understand the kind of risks human error poses to the enterprise and focus on solving the non-technical aspects of the larger security culture problem. This happens by combining inside knowledge and outside digital chatter to determine how an adversary sees you.
A Wholistic Approach to Threat Intelligence
I came to Mimecast because I saw a unique opportunity to combine over 12 billion emails, web and awareness training data into insights we can offer our customers – a fresh perspective on how a mature intelligence operation can deliver strategic business direction.
Our Threat Centre draws insights and gives recommendations to our customers that extend beyond the noise of IoCs. Our ability to see exploitation before it is even determined to be a vulnerability and gather insights on the largest attack vector on the planet – while tying that back to security culture – differentiates our Threat Centre from traditional malware-focused threat intelligence operations. This data will be used to trend and baseline industries on how attractive they are to today’s attacker and how their digital fingerprint impacts their risk.
This removes the hurdle for our customers to have to collect, process and deploy IoCs on their own, rather focusing on the business directions that will provide the most impact to operationalise their investments and create a strategic direction in security that senior leadership understands.
Putting Customer Needs – and Actions – First
By shifting your attention from the daily noise of post-breach threat intelligence (IoCs) to a solid business-oriented threat intelligence program, you create a dynamic of proactively closing holes that make you an attractive target and collectively raising the bar against your adversaries.
To achieve this level of insight you need to have a strong understanding of your infrastructure, your external profile and the employee activity in the company when looking at your security culture.
Regardless of whether it’s a phishing exercise to harvest credentials or implant malware, our vulnerability and research teams can detect and prevent these attacks and also derive malicious intent or human error. With research from the Threat Centre, we can close the loop to drive user awareness and reduce human error.
Today’s rapidly-evolving threat landscape demands a unique approach and we hope to provide the value of what we do every day back to our customers and the security community at large.
Need to explain or evaluate the value of threat intelligence? Check out our 8-part series: Threat Intelligence for the 99%. You can find part 1 here.