Threat intelligence as an information security discipline that seeks to recognize and understand sophisticated cyber adversaries, specifically why and how they threaten data, networks, and business processes.”
And Gartner defines that “Threat intelligence is evidence-based knowledge including context, mechanisms, indicators, implications and actionable advice...that can be used to inform decisions.”
The goal of all this data collection is that you want to be able to make better decisions about how to protect your systems.
To mitigate threats you can implement new controls, remediate vulnerabilities, or accept risks. What actions you should take, at what rate and in what order, these are the questions you want threat intelligence to answer.
Threat intelligence can describe various piecewise parts of how a breach happens - from threat actor to threat action, to the malicious code (or lack thereof) itself or to the breach itself.
Threat intelligence can be segmented into five types:
-
Internal Intelligence. This is the intelligence about your organization’s own assets and behavior, based on analysis of your organization’s activities.
-
Network Intelligence. This is intelligence gleaned from analyzing network traffic at your organization’s network boundary and on networks that connect you to the outside world. FireEye is a good example.
-
Edge Intelligence. This understands what various hosts on the Internet are doing at the edge of your network. This information is available from your ISPs, governments, and telecoms. For example, Akamai has a lot of intel on the edge of the Internet.
-
Open-Source Intelligence. This comes from the plethora of information available on websites, blogs, Twitter feeds, chat channels, and news feeds. It’s available to whoever wants to collect and mine it for useful intel.
-
Closed-Source Intelligence. This is the most difficult to acquire — closed user group sharing (for example, FS-ISAC) collects authenticated underground websites and chat channels, information gleaned by intelligence and law enforcement operations, and human intelligence. FS-ISAC, the Financial Services Information Sharing and Analysis Center is an industry forum for collaboration on critical security threats facing the global financial services sector.
First, let's see what intelligence/info you might be collecting:
Threat ActorsInformation about threat actors themselves is usually hard to operationalize, but knowing the locations of malicious IPs or C2C servers allows for implementing a mitigation control around that known information. This type of data attempts to capture the location or past actions of threat actors, and is necessary, but hardly enough to stop the threat.
Possible Strategies of Threat ActorsMITRE and NVD provide the common vulnerability enumeration (CVE), which is a vast but incomplete picture of the possible strategies. Some types of vulnerabilities are prioritized over others, some never make it in their listing because of resource limitations. Some vulnerabilities are never submitted. Thus you may have to look to providers of zero-day vulnerabilities for the undisclosed or unpatchable vulnerabilities. Learning what’s possible for the attacker informs us about what we must defend against.
However, it’s impossible to be secure against every vulnerability!
Actual AttacksThere are a few ways that you can know about actual ongoing attacks. The most simple is rule based - knowing that an IDS is picking up a known-exploit signature informs you of an attack in progress. More complex systems will do anomaly detection, and SIEM systems will record all the actions undertaken to implement early warnings or quick detection rates (i.e. mitigate damage). In the aggregate and retrospectively, this data informs us about the worst of vulnerabilities - those which attackers are actually attempting to exploit (that is, those that put us most at risk).
Your Network TopologyInformation about your business, accurate asset inventory and grouping, accurate assessments of which mitigating controls are in place - all of these slice out a significant amount of risk from your system. Some vulnerabilities simply don’t apply to your business because of your topology, or the way in which some attacks must be implemented. Your job is to focus on what is actually feasible on your network.
Successful Attacks/Past MistakesSuccessful attacks, or your past mistakes allow you to get to the heart of the issue. You’re trying to prevent breaches, and historical data about what’s been successful allows you to be certain that your remediation efforts don’t go to waste. You can determine what about the environment caused the attack to be successful, where successful attacks came from, which potential attacks they were generated by, etc.
-
Guys, what is your opinion about this crucial distinction between types of Threat Intelligence? What holds more importance over others?
Please leave me your views in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM