By Abhijit Dhongade, CTO and Co-Founder at Block Armour
Threat intelligence is the mechanism of collecting actionable information on adversaries. This information consists of details on Threat Actors (APT Groups, Nation States, Hacktivists and other attackers), Threat Vectors (SPAM, Vulnerabilities, Exploit Kits, new hacking tools etc.), Indicators of Compromise (symptoms indicating a particular group or attack), and Actionable advice about the current prevalent threats. Threat Intelligence is required for organization who want to know their attackers before they attack.
This helps an organization prepare its defenses accordingly and helps build an Active Defense Framework. There are many service providers who provide free and/or paid subscription feeds of Threat Intelligence. These feeds are customized as per the organization to eliminate noise and provide focused, relevant intelligence which are actionable.
Essential Characteristics of Actionable Threat Intelligence
Threat Intelligence can be broadly classified into two categories as follows:
Internal Threat Intelligence
Internal Threat Intelligence involves acquiring information about an organization’s asset posture. This consists of conducting vulnerability assessments and identifying vulnerability information about each asset, obtaining Zero-Day threats about the assets in the organization, and understanding other weaknesses open for an attack.
This intelligence helps SOC and Incident Response (IR) analysts to prioritize and focus on real-time alerts which exploit these weaknesses. Lack of internal threat intelligence hinders the visibility of security monitoring personnel and could cause them to lose focus on targeted cyberthreats.
Internal Threat Intelligence can further be sub-categorized into the following types:
- Asset Posture
- Vulnerability Assessment of Assets
- Penetration Test Results
- Cyber Security Assessment Findings
External Threat Intelligence
External Threat Intelligence is the acquiring of information about threats from the Internet. This helps in identifying potential hacking groups (Threat Actors) who may be interested in hacking an organization and the techniques they use for the same.
It also helps organizations identify if they have been breached, by searching for IOCs in their technology infrastructure. Security architects and analysts can leverage external threat intelligence to prepare active defense against the attackers and respond effectively in case of an attack.
Listed below are the various kinds of External Threat Intelligence:
- Indicators of Compromise (IOCs)
- External Vulnerability Feeds
- Emerging and New Threats
- Threats Mentioned Over Social Media
- Brand Abuse
- Information from Deep Web
Threat Intelligence is usually consumed by implementing a Threat Intelligence Platform. This technology consolidates threat intelligence feeds from various subscriptions and helps in eliminating false positives, repetitive intelligence and lets organizations focus on more actionable alerts.
The audience for Threat Intelligence usually includes Security Operations Centre (SOC) Analysts, SOC Engineers, Incident Response Engineers, Threat Hunters, and Security Architects. SOC analysts can use these feeds and correlate with real-time threat to identify an ongoing attack. SOC Engineers utilize these feeds to build alerts in SIEM (Security Incident and Event Management) systems which can detect threats known in the cyber space.
Incident Responders utilize these feeds to investigate and mitigate an attack. Threat Hunters look for Indicators of Compromise (IOC) provided by the intelligence in the infrastructure of the organization to identify a potential breach. Security architects consume these feeds to strengthen the overall security posture of the organization and provide Active Defense.
Threat Intelligence has now become an integral part of the security ecosystem without which it is hard to sustain targeted attacks. An effective Threat Intelligence strategy helps increase an organization’s visibility of emerging cyberthreats. Organizations need to build a threat intelligence framework and hire skilled personnel to operate them and stay one step ahead of cybercriminals.
About the author:
Abhijit Dhongade is Co-Founder and CTO at Block Armour – a blockchain-based cybersecurity startup. He is considered an expert in the areas of Security Incident and Event Management (SIEM) systems, Security Operations Center (SOC) and Incident Response (IR). Abhijit’s extensive experience includes working for critical infrastructure institutions, including being responsible for designing, deploying and maturing the SOC for National Stock Exchange – one of the earliest enterprise SOCs in India.