[BreachExchange] The Importance Of Cyber Intelligence In A Firm’s Operations

[Destry Winant]

https://hackercombat.com/the-importance-of-cyber-intelligence-in-a-firms-operations/

In the initial stages of creating a threat cyber-intelligence
capability, it is vital to develop an understanding of the services,
providers, tools and platforms that are currently available on a
day-to-day basis. Unfortunately, as interest in this area of security
has increased, the term “threat cyber-intelligence” has been adopted
and applied in many places where it may not be applied in a correct
way. In particular, the terms “data”, “information” and “intelligence”
may often used interchangeably.

Intelligence tells a story that can be used to inform decision making.
Fundamentally, intelligence never answers a simple question, but
paints an image that can be used to help people answer much more
complicated questions. Information on buying trends could be used in
combination with behavioral psychology research to help shoppers find
the items they want. This intelligence does not directly answer the
question of how to make people buy more, but it helps in a process of
business decision making.

In many cases, accessing data from threat feeds is considered the “on”
switch for a threat intelligence capability. Because these tools are
often open source and dealing with technical indicators, they are
often touted as a good starting point for developing a strategy.
Threat cyber-intelligence is a relatively new area of information
security, and those who have the necessary services and technology
should be interested in making sure that organizations understand the
benefits they will see with this type of capability. But as with any
emerging technology, exaggeration from time to time exceeds reality,
we must make a good management of expectations.

Since there is an exponentially greater amount of data than ever
before, there are also many more opportunities to gain intelligence
from it. But, with so many sources and so many data, this is difficult
to do manually. Many times, the term “threat cyber-intelligence” is
used to describe the sources of all this data, but in reality they are
simply data sources that must be processed before they can be
considered intelligence.

Sources of Intelligence

Social media

Undoubtedly, there is a lot of potentially useful data on social media
channels, but it is difficult to determine false positives and
misinformation. In general, we will find many references to the same
threats and tactics, which can be a heavy burden for security
analysts.

DarkWeb (part of the Internet not reachable by search engines)

It is often the source of very specific information about tactical and
technical threats, but it is incredibly difficult to access,
especially for higher-level criminal communities. Also, since many of
these communities do not speak English, the language is often a
challenge.

Technical data (for example, lists of threats, spam, malware,
malicious infrastructure)

This type of data is available in large quantities, often free of
charge. Due to its binary nature, it is easy to integrate it with the
existing security technologies, although a great amount of additional
analysis will be needed to obtain a real context. These sources
present a high probability of false positives, and the results are
frequently outdated.

Data provided by public media

These sources often provide useful indicators of new and emerging
threats, but it will be difficult to connect them with relevant
technical indicators to measure the genuine risk of each of them on
its own.

Forums

Because these channels are specifically designed to host relevant
discussions, they are a potentially valuable source of information
about threats. That said, time should be spent collecting and
analyzing to identify what is truly valuable about them.

Many times, organizations adopt a volumetric approach to security,
particularly when it comes to addressing vulnerabilities. And, of
course, without the cyber-intelligence of threats to inform about the
strategy, it only makes sense to prioritize the vulnerabilities
according to the number of susceptible systems. But with a robust
threat intelligence program that provides vulnerability analysis from
a wide variety of available sources, firms can take a much more
strategic and risk-based approach. Instead of painting by numbers,
Organizations can consult a range of sources and receive alerts about
specific indicators that increase the risk of a CVE being exploited.

Seventy five percent of the vulnerabilities reported since the
beginning of 2016 appear on websites and social networks an average of
seven days before the primary information channels. And as references
to disclosed vulnerabilities increase, so does the likelihood of
exploitation. The nature of the sources also becomes a factor in these
terms. A thread in the references in criminal forums or dark web
communities will also contribute to a higher risk score, as the
threatening actors begin to discuss and share methods to exploit. The
risk will increase once again when the indicators show that the
vulnerability is part of an Exploit kit.

Clearly, having this kind of intelligence makes the task of
prioritizing vulnerabilities much simpler and more powerful. After
all, no matter how few of the assets may be affected, if an exploit is
being actively discussed in dark web forums, with a powerful threat
cyber-intelligence capability, this level of content can be collected,
analyzed and constantly used to inform a risk-based information
security strategy. Being able to identify the most important threats
for an organization at any time and allocate the necessary resources
accordingly.

How to counter possible troubles? It can be address in two ways:

1. Define the goals, and strictly stick with it
The clearer you are, the areas that believe that cyber-intelligence
will change the security profile, the more likely we are to succeed.
Do not be afraid to be very specific from the beginning to ensure that
you maximize value in just a few key areas.
2. Do not look for a provider, find a partner.
To develop the intelligence capacity, repurpose a new goal to reach
the initially established objectives. A threat cyber-intelligence
provider who invests in the success of their jobs and works with the
firms, to discover new potential use cases is much more valuable than
a provider who simply sees your organization as another paycheck.