Threat intelligence is knowledge that allows companies and individuals to prevent or mitigate cyber attacks. Rooted in data, threat intelligence gives users the context that helps them make informed decisions about security, by answering questions like who is the attacker, what their motivations and capabilities are, and what indicators of compromise to look out for, in their systems. Modern day security operations teams can rarely keep up with all of the alerts they receive — threat intelligence helps automatically prioritize and filter alerts and other threats.
Vulnerability management teams can hone in on the most important vulnerabilities by using threat intelligence to determine what vulnerabilities represent the biggest risks based on the external threat landscape. And fraud prevention, risk analysis, and other high-level security processes are enriched by key insights on threat actors and their tactics, techniques, and procedures.
The best threat intelligence solutions use machine learning to automate data collection and processing, integrate with your existing solutions, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IOCs) and the tactics, techniques, and procedures (TTPs) of threat actors.
Threat intelligence is often broken down into three subcategories: Strategic, which refer to broader trends typically meant for a non-technical audience, tactical, which mean an outline of the tactics, techniques, and procedures of threat actors for a more technical audience and operational, meaning technical details about specific attacks and campaigns.
Maher Jadallah, regional director – Middle East, Tenable, says the majority of modern breaches are a direct consequence of ineffective vulnerability management, and adds that the discovery and disclosure of vulnerabilities is growing both in volume and pace and shows no sign of abating. “Trying to remediate and mitigate all disclosed vulnerabilities, even when prioritizing High and Critical vulnerabilities, is an exercise in futility, and managing vulnerabilities at volume and scale across different teams requires actionable intelligence. Otherwise, we’re not making informed decisions – we’re guessing.”
Jadallah adds that in 2018, as much 16,500 new vulnerabilities were disclosed and CVSS categorized the majority as high or critical. With vulnerabilities on the rise, organizations need to be able to identify those that pose a real rather than theoretical risk to the business so they can zero in on remediating the vulnerabilities that matter most.
According to Marc French, Senior Vice President and Chief Trust Officer, Mimecast, “Threat intelligence helps security teams take contextual action to respond quickly to cyber threats and ensure user behaviour training and policy changes are focused on high risk employees.”
He goes on to cite a new study by Mimecast and Vanson Bourne, which found that as much as 69% of UAE respondents felt that threat intelligence was extremely important for their organization and 26% of organisations said that their email security system cannot currently provide threat intelligence data to their security teams. The same study also found that 26% of email systems can’t consume and apply threat intelligence data to security systems. With email being a top vector, this is an issue worth flagging, as it highlights how a quarter of respondents aren’t able to maximise the insight threat intelligence provided to make it fully actionable.
Fortinet’s Q1 2019 Threat Landscape Report sums it up best: “It’s been said that if you really want to understand threat trends, it’s a good idea to closely follow prevailing technology trends. That saying proves true in unraveling this case. Social media continues to boom, driving the need to make the creation of social-savvy websites easy for the masses. Content management systems (CMS) and various development frameworks (like ThinkPHP) have sprung up to meet that demand. Internet miscreants have, in turn, taken advantage of what has become a regular drumbeat of vulnerabilities affecting these tools.”
The report adds: “Our latest data suggests that threat actors continue to move away from indiscriminate ransomware attacks to more targeted and potentially more lucrative campaigns. Multiple attacks reported in Q1 2019, including those against a major Norwegian aluminum manufacturer, two American chemical companies, and a French engineering firm, support this premise.
This just goes to show the growing importance of threat intelligence in the region today, and the need for organizations to wake up to its positive outcomes. The Gartner Market Guide for Security Threat Intelligence Product and Services sates that threat intelligence capabilities can make digital businesses more resilient. “Security and risk management leaders will need to evaluate the capabilities and features of TI offerings and match them to the needs of their security programs,” it adds.
In order for threat intelligence programs to be effective, the Gartner Report notes that Security and risk management leaders responsible for strategizing and planning security operations should define their organizations’ TI use cases, such as security telemetry augmentation, deep web monitoring, phishing investigations, incident response and analyst augmentation, identify and align vendor specialties to the most relevant TI use cases for their organizations and use this to drive vendor selection. They should use the three Gartner-defined requirements-acquire, aggregate and action- for leveraging TI successfully and investigate the use of open-source computer emergency response teams, information sharing and analysis centers, and commercial TI services to develop informed tactics for current threats and plan for future threats.
Experts say the reason threat perception hasn’t taken off in a big way in the region is because most organizations do not have a mature approach to threats and are overconfident about their ability to prevent attacks. In fact, a recent study by Centrify, a leading provider of cloud-ready Zero Trust Privilege to secure modern enterprises, conducted in partnership with TechVangelism, reveals that majority of organizations are ill-prepared to protect themselves against privileged access abuse, the leading cyber-attack vector. The study states that seventy-nine percent of organizations do not have a mature approach to Privileged Access Management (PAM), yet 93% believe they are at least somewhat prepared against threats that involve privileged credentials. This overconfidence and immaturity are underscored by 52% of organizations surveyed stating they do not use a password vault, indicating that the majority of companies are not taking even the simplest measures to reduce risk and secure access to sensitive data and critical infrastructure.
“This survey indicates that there is still a long way to go for most organizations to protect their critical infrastructure and data with mature PAM approaches based on Zero Trust,” said Tim Steinkopf, CEO of Centrify. “We know that 74% of data breaches involve privileged access abuse, so the overconfidence these organizations exhibit in their ability to stop them from happening is concerning. A cloud-ready Zero Trust Privilege approach verifies access requests, the context of the request, and the risk of the access environment to secure modern attack surfaces, now and in the future.”
Then again, in order to get maximum benefit, threat intelligence needs to integrate with the solutions and workflows organizations already rely on and have low barriers to entry. When it’s treated as a separate function within a broader security paradigm rather than an essential component that augments every other function, the result is that many of the people who would benefit the most from threat intelligence don’t have access to it when they need it.