How Threat Intelligence Can Help Counter Targeted Attacks
A steep increase in targeted attacks is becoming a growing concern among organizations. Targeted attacks are sophisticated, persistent, with specific motivation and in most cases well-funded. The motivations of the threat actors could range from strategic business interests to national interests, espionage or financial gains.
Recent attacks have been targeted more at individuals with the objective of gaining access to their personal information. For instance, Amazon’s CEO Jeff Bezos’ mobile phone was ‘hacked’ after receiving a WhatsApp message that as per the investigation report had apparently been sent from the crown prince of Saudi Arabia. It is also evident that the attacks are not only leveraging 0-day vulnerabilities, but also looking out for vulnerabilities in any security misconfiguration. There are many instances of data breaches leveraging the misconfiguration on Amazon’s S3 buckets that has exposed several million records with sensitive and confidential details.
Irrespective of the motivation and type of attack, targeted attacks are often the hardest to detect and remediate. A masterfully crafted targeted attack gets even the most tech-savvy or experienced users. They are often referred to as advanced persistent threats (APT) since the cybercriminals use highly sophisticated technology to attack repeatedly until the target is breached.
A successful attack can often bring an organization to its knees. For instance, disruption of production line for an automotive company or breach of confidential data for a bank. It can result in considerable operational and reputational damage.
Cybersecurity is in the spotlight across enterprises as is evident from the recent market research done by Infosys in which 83 percent of the respondents viewed cybersecurity as a critical component of their organization. Top executives across verticals strongly believe that cybersecurity risk is one of the top five challenges that can change the future of business.
To overcome this challenge, organizations need to build a scalable cybersecurity infrastructure with the ability to seamlessly adapt and respond to the evolving threat landscape.
While organizations are adopting a ‘defense-in-depth’ approach to keep away opportunistic attacks, they need to detect and mitigate targeted attacks by utilizing threat intelligence.
Threat intelligence is defined as an evidence-based knowledge which is contextually relevant and can be integrated into platforms and tools, to quickly and accurately address threats to individuals, organizations or assets in a standardized and consumable format. It can be categorized into internal intelligence (gathered from within the organization) and external intelligence (acquired from outside the organization like intelligence subscription, community feeds, etc.).
Threat Intelligence are of three types:
• Strategic intelligence helps executives gain visibility of threat exposure; to plan their security strategy
• Tactical intelligence is predominantly used by analysts for their day-to-day security operations and machine-to-machine detection of threats and have the potential to immediately influence tactical decisions
• Operational intelligence provides context for security events and incidents
The traditional intelligence cycle consists of six distinct phases:
• Direction: Defining the goals of the threat intelligence program
• Collection: Gathering information to meet the intelligence requirements
• Processing: Transforming information into a usable format
• Analysis: Converting processed information with human input into intelligence to support decisions
• Dissemination: Distributing the intelligence to the right destinations
• Feedback: Understanding the overall priorities and needs of the security teams
Threat intelligence is consumed for proactive protection against threats which strengthens the threat mitigation controls and for detection of historical malicious events which supports the incident response.
In most security operations centres (SOCs), the false positive alarms are causing more noise due to inadequate knowledge of the attack techniques, tactics and procedures (TTPs) or indicators of compromise (IOC) or the attack surface used by the adversary. It is due to a huge volume of alerts and incidents on a daily basis. Threat intelligence provides the contextual information to the indicators, which helps the security analysts to have a situational awareness while getting the incident investigated. It also helps with other associated indicators, campaigns, operations etc., for a comprehensive and conclusive incident response. This is one of the quick benefit of the consumption of tactical and operational intelligence.
Benefits of threat intelligence are:
It provides a high-level information on the changing risk in the cyber landscape. It also provides information on emerging threats, the organization’s indicator of exposure (IOE) and it’s risk for current and emerging threats. This helps executives develop and institutionalize their defensive strategy.
Threat intelligence provides situational awareness and advance knowledge about adverse TTPs thereby equipping organizations to effectively address threats. It provides details of malicious domains, IP addresses controlled by adversaries and all the vulnerabilities that are being exploited. It builds awareness and knowledge about new strains of malware, the indicators of an attack and how it could potentially harm organizations. This helps prepare their own defenses by setting up the required antidotes.
By consuming threat intelligence feeds, advanced threat protection software installed on an organization’s systems, networks, email, and servers can scan for impending threats and block them before they cause any damage.
The ability to develop and act on threat intelligence underpins any defensive strategy. Organizations can efficiently detect and mitigate targeted attacks by utilizing threat intelligence backed by context-aware data protection and security tools that notify human analysts of an impending cyberattack.
As the world embraces IoT and cyber physical systems, it is imperative that companies craft the perfect blend of talent, processes, and technologies complimented by threat intelligence to fortify and enhance their cyber defenses against targeted attacks in the years to come.
Threat intelligence and vulnerability management
Threat intelligence does not only cover the indicators of the threat; but also on the vulnerabilities and exploits. These intelligences are gathered from the OEM’s and also more interestingly from the dark web. The intelligences are consumed to superimpose on the vulnerability data, with contextual information, and helps the operations team prioritize the remediation. This also gives the organization, a perspective of their exposure to such vulnerabilities and the threats which leverage the same for exploitation.