The Benefits…and the Downfall of Using Cyber Threat Intelligence
Feb 23, 2023
In today’s cybersecurity battlefield, many of your adversaries are organized cybercrime syndicates and nation states. These well-funded threat actors are capable of carrying out highly sophisticated attacks that can easily defeat poorly implemented cybersecurity programs. To level the playing field, you need to equip your cybersecurity initiatives with threat intelligence.
For those unfamiliar with the term, cyber threat intelligence (CTI) or simply threat intelligence is information you can use to better your cybersecurity initiatives. This information may include:
- Indicators of Compromise (IOCs) like known bad IP addresses and file hashes
- Threat actor tactics, techniques, and procedures (TTPs)
- Vulnerability alerts
- Threat intelligence reports featuring known threat actors
- And others
Why would you need this information? How can it help in cybersecurity? Here are the top reasons for incorporating CTI in your cybersecurity initiatives:
Improves Threat Prevention
Threat prevention tools are supposed to keep the bad guys out. While it’s certainly a big advantage if you can block threats before they can step inside, many of these tools rely heavily on human input.
Let’s take your basic firewall for example. Even a basic firewall can theoretically prevent a good amount of threats from reaching your network. However, for that firewall to work as expected, you should configure it properly. You should provide it with a well-thought-out access control list (ACL) that defines, for example, which IP addresses should be denied access. The more comprehensive and reliable that ACL is, the more effective your firewall will be.
That’s easier said than done, however. With trillions of IP addresses out there, how could you possibly know what those bad IP addresses are? That’s where good threat intelligence can come into play. If you can somehow find a threat intelligence source with a comprehensive collection of IP addresses and their reputations, you can feed that information into your firewall and block every packet originating from a known bad host.
Streamlines Threat Detection and Threat Hunting
Threat detection and threat hunting tools and processes are meant to help you determine if a threat has somehow managed to invade your IT environment. The former employs a passive approach whereas the latter uses a proactive approach. Like threat prevention, these tools and processes can be enhanced with threat intelligence.
Let’s say you’re using an intrusion detection system (IDS) for threat detection. Many IDS solutions use signature-based methods to detect the presence of threats. While these tools can easily detect threats whose signatures have already been added to the tool’s signature database, they’re ineffective against zero-days. Zero-days are brand-spanking-new threats whose signatures have yet to be released by the cybersecurity community.
To catch both known threats and zero-days, you can augment your IDS solution with CTI-backed threat hunting. For instance, a threat hunting activity could lead you to indicators of compromise (IOCs) characterized by log records of outbound traffic going to a suspicious IP address. Using threat intelligence, you can check if that IP address is associated with a known malicious host. If it is, you would then have discovered a threat even if it didn’t trigger your IDS.
Boosts Incident Response
Incident response is a very stressful activity. To be effective, you need to make quick, accurate decisions. Unfortunately, these activities usually involve a lot of log and alert data that tend to muddle the process.
You can use threat intelligence to enrich alert data so you can make better decisions when you triage. Let’s say you’re observing traffic going out to multiple unknown hosts. You need to act fast. For all you know, some of that traffic might be exfiltrating data to a C2 server. However, you can’t just block all outbound traffic, as some of them might be part of a legitimate, time-sensitive business process.
By leveraging your threat intelligence about IP addresses, you can prioritize succeeding analysis to those connections that involve known bad IP addresses. Not only will that save you time, it will also prevent you from killing an important workflow.
Informs Executive Decision-Making
Not all threat intelligence is used for tactical and operational purposes. Others come in the form of reports and other human-readable formats, and are consumed by senior management, C-level executives, and board of directors for strategic decision making. Here’s an example.
Some analysts believe that NotPetya was actually a Russian cyber warfare weapon targeted at Ukraine that spilled over to Europe and other parts of the world. While we don’t know for sure if this is true, this scenario is highly possible.
So, if you’re regularly conducting B2B file transfers with a company based in a country that just had a conflict with a nation state, which according to CTI reports has cyber warfare capabilities, then it might be wise to bolster your cyber defenses. That should minimize the risk of becoming collateral damage in a potential cyber warfare-initiated malware outbreak.
The Downfall of Cyber Threat Intelligence
Despite all the benefits of CTI, it’s not for everyone. Before you can realize the benefits of threat intelligence, you need to curate, enrich, and analyze threat intel data. After that, you still need to input the processed information into your security solutions. Not all organizations have that capability.
Most small and medium-sized businesses (SMBs), in particular, don’t have dedicated cybersecurity teams, let alone threat analysts, who can carry out security operations tasks like CTI. Not only that – there’s currently a talent shortage in cybersecurity. Around this time last year (2022), 3.5 million cybersecurity positions remained unfilled across the globe. That means even large enterprises have trouble hiring the required talent for threat intelligence.
While you can outsource CTI to a Managed Security Service Provider (MSSP), another option is to adopt Applied Threat Intelligence (ATI). ATI is an emerging class of security solutions that incorporates the entire CTI process (collecting, analyzing, processing, and utilizing TI data) into one single solution. ATI eliminates all the complexities of CTI while preserving all of its benefits. We already shared a link to a comprehensive report about ATI in the link above, but if you want to learn more or have any questions, contact us.
