NOTE: This document incomplete, still DRAFT Mode…
The intelligence, in terms of security, is a collection of security-related information which when analysed provides meaningful foresight. The threat intelligence likewise is an analysis of information collected about the cyber threat so that it provides reliable and structured information about cybersecurity threats. Thus, threat intelligence forms an important tool in the arsenal for security management.
The threat intelligence adds value to information related to threats to make is substantive and allows organisations to be ready for future eventualities from cyber-attacks. It’s proper use and deployment can warn organisation of “advanced persistent threat” that can create havoc in any organisation by silently gathering information and then launching focused attacks. Threat intelligence detects these threats by identifying the unusual patterns and anomalies in the system. However, this only detects the threats leaving the role of other prevention technologies and human intervention to prevent attacks.
As technology is advancing with new developments such as the Internet of Things (IoT) the newer threat vectors are also evolving alongside. From a security point of view, IoT is being viewed as a most vulnerable area that may allow attacks on billions of small devices including electronic appliances, health care appliances, building systems, etc. connected using IoT. As per RSA Security, the IoT will connect around 50 billion devices by 2020 and this is going to pose a real challenge to threat analysis for anticipating potential attacks.
What is threat intelligence?
The definition of threat intelligence, in simplest terms, is given by Matt Bromiley in SANS white paper on threat intelligence as “TI is the process of acquiring, via multiple sources, knowledge about threats to an environment”.
Rob McMillan of Gartner defines threat intelligence in a more elaborate way as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard”.
The goal of threat intelligence is to detect the potential threat as early as possible and if possible prevent them as well. Threat intelligence will help in making the security teams ready to handle both known and unknown threats.
Brian Jack, KnowBe4’s chief information security officer, while defining threat intelligence adds analytics to it and says “Cyber threat intelligence is the collection and application of relevant and valuable information relating to cyber threats,” and “Analytics may take intelligence as an input and give you more valuable intelligence as output.”
Sheldon Hogarth of Massive Alliance feels that definition of Cyber threat intelligence depends on “who is using it and what solutions they provide”.
Sheldon Hogarth’s view is also supported by Matt Bromiley by indicating that definition and use of Cyber threat intelligence by any organization depends on:
- “Foster realistic expectations for TI implementations.
- Align those expectations with corporate cybersecurity
- Identify where TI integrations will yield the most for the organization.”
Thus, the use of Cyber threat intelligence in a useful manner will depend on the type of business and usage of information in the business. The businesses using external data feeds need to ensure that the data is deployed at locations where it is required along with proper monitoring system such as Cyber threat intelligence to detect any anomalies in data being taken in.
Another organization may use Cyber threat intelligence to understand threat groups, their practices, and methodologies to ward off any attacks in future and provide security team better understanding of attacks.
Matt Bromiley indicates that “In fact, the perception of TI is turning from one of luxury to necessity as information security professionals come to realize that attackers often have a better understanding of their organization’s networks than they do.” Most of the times when the breach is detected the attacker has quietly entered into the system and moved as per his wishes without being detected.
Sources of Threat Intelligence
The use of threat intelligence first requires identification of sources of the intelligence which can be internal or external.
The internal threat intelligence is information and data collected from within the organization. The previous attacks and activities related to the attack provide good intelligence information. The careful analysis of logs is another good source of threat intelligence.
The intelligence acquired from outside sources constitutes external threat intelligence. The sources can be data feeds, commonality, government, and law enforcement agencies, and crowdsource platforms. The data feeds provided by research organizations, subscriptions, endpoint agents, Open-source threat intelligence need to be analysed to extract value from it. The commonality is the sharing of information among the industry sector such as finance and banking. The relationship of the organization with government and law enforcement agencies can also provide threat intelligence information. The crowdsourced threat intelligence is another source of intelligence that can be accessed by the organizations while remaining anonymous.
Advanced persistent threats
Cyber threat intelligence is one tool that is useful for handling advanced persistent threats (APTs). APT is a slow attack launched to avoid detection and compromises IT network without revealing itself. APT is considered as one of the biggest threat to the IT sector as it is aimed to steal legal documents, intellectual property, and other sensitive information. It is being taken very seriously as it can bypass the traditional security system in place today. The threat intelligence, on the other hand, can find hidden patterns used by APT to detect these attacks that bypass traditional detection system.
Advanced threat analytics
Advanced Threat Analytics performs behavioural analysis of the data collected for threat detection. The advanced threat detection program includes:
- Extract information on suspicious activity from data gathered from network logs, gateways, publications, open source locations, TOR, I2P and warehouses.
- Use machine learning and filtering to go through the large database of information collected
- Analyze data and remove false positives
- Use skilled analyst to go through the threat detected and verify its presence.
- Integrate the information with other security platforms such as Security Information and Event Management (SIEM).
The automation and information sharing play a key role in advance threat detection. Sharing of information allows threat detected at one location can be used to develop a protection plan for all customers to handle that threat. It also reduces analyst load and allows them to concentrate more on other jobs.
Threat intelligence tools
Threat intelligence operations use threat indicator feeds along with threat intelligence platforms. The data collected from internal and external resources form the threat feed and this feed is then analysed by the threat intelligence platforms. As per The European Union Agency for Network and Information Security (ENISA) “Threat intelligence programs implement processes that enable organisations to collect, analyse, produce and integrate their own and external intelligence. The utmost goal of any threat intelligence program is to produce intelligence that will be embedded into organisational workflows and would serve decision makers.”
Gartner Essentials: Top CyberSecurityTrends for 2016-2017 provides an ideal role of Threat intelligence program for threat management in the figure below:
Open source, as well as commercial Threat intelligence programs, are available. Some of the programs are:
- Collaborative Research Into Threats (CRITs) by MITRE
- Collective Intelligence Framework (CIF) by CSIRT Gadgets Foundation
- GOSINT by Cisco
- MANTIS Cyber Threat Intelligence Management Framework by Siemens
- Malware Information Sharing Platform (MISP) by CIRCL
- MineMeld by Palo Alto
- Yeti by Yeti
- EclecticIQ Platform
- Soltra Edge by NC4
- ThreatQ Platform by ThreatQuotient
- Threat Central by Micro Focus
- Open Threat Exchange (OTX) by AlienVault
- X-Force Exchange by IBM
- ThreatExchange by Facebook
Free Open Source Threat Hunting Tools
The technology is still in the maturing phase and no single product may be enough meeting requirement. The best option will be to use find out organisation’s requirement and then select a suitable product or products which can be a mix of open source and commercial products. Williams of Rendition Infosec advises organisation to first try open source Threat intelligence programs before going in for commercial products.
A number of studies showed that just deployment of threat intelligence tools is not enough to identify the advanced threats and it requires in-house skilled security analysts for effective use. The organisations reliant solely on threat intelligence tools fail to protect their systems from cyber threats. The detection of advance threat surely needs top security talent duly trained in a wide range of investigation tools and investigatory skills.
The organisations must first find out the business areas that need protection. The use of threat intelligence will help in understanding the areas that can be targeted most and this information can be used to protect assets effectively. The use of threat intelligence can also identify new areas that were not considered as vulnerable earlier.