Managing threat information and intelligence

Do you know the difference between information and intelligence? While this may seem nothing more than semantics in most situations, the difference is extremely significant when it comes to cyber security. Simply described, information is data or facts that have been collected and intelligence is actionable assessment of those facts.

The distinction can be best illustrated as follows:

Information

An exploit for a zero-day Java vulnerability is publicly released on a security mailing list. Shortly thereafter, malware is identified using the vulnerability. Security vendors notify clients of this threat and provide recommendations for mitigation. This is threat information and, while useful, it is not, by definition, threat intelligence.

Intelligence

A security vendor monitoring exploitation of the Java vulnerability notices that infection rates in Asia are much higher than in the US. New strains of malware, which install code associated with a botnet command and control system on victim devices, are being observed in the wild. At the same time, a large financial institution has announced the acquisition of several smaller, regional banks initiating an increase in their non-sufficient funds fee from $20 to $35, thereby angering consumers. Many hacktivist groups begin discussing a protest against the US banking system on social media sites, promising to halt online transactions for a day at major institutions. One hacktivist Twitter account posts instructions for using botnet command and control software, which appears to be related to the botnet client code installed by a recently identified Java malware.

Piecing these data points together leads to a clearer picture – US banks are likely going to be targeted with a DDoS attack by a hacktivist group using botnets based on the Java vulnerability. Based on what is known about infection profiles, banks can expect the attacks to originate from Asian source IP addresses. This is threat intelligence – information gathered from several disparate sources, synthesized by human analysts to identify a specific threat to a specific target.

Recent headlines suggest that organizations today are not equipped to perform such highly intricate and complex analysis and, as a result, attackers appear to be winning the war. This is not to say that there is no use for security intelligence tools that can alert and respond when indicators are identified – but they are limited in capability for turning that information into actionable intelligence. Rather, threat intelligence platforms offered by managed security services providers are automating the identification and analysis of the data, so organizations can take the necessary and immediate steps to thwart the intruders.

Threat intelligence management technology is seeing significant growth across a broad range of users and, as recent hacks will attest, for good reason. It’s a reliable and cost-effective method for improving network security through proactive mitigation of potential threats. The technology is devised to understand, analyze, curate, and enrich threat information using advanced analysis techniques and proprietary tools. The supporting underlying infrastructure can collect and store massive amounts of information and make it available for curation, enrichment, automated correlation and processing, as well as enabling manual threat analysis and research.

While increased cyber threats have accelerated the need for threat intelligence services, businesses need to be aware of the different types of intelligence being delivered by the security industry. Is it intelligence resulting from the automated collection and analysis of data obtained from sources such as social network monitoring, spam traps, malware reversing and observation, live botnet connections and so on; or, is the intelligence derived from a blend of these sources along with more human analysis that can add a further level of intelligence? For instance, observation of a malware infection could offer insights into what the intruder does once inside the network or what specifically they are looking for. Instructive intelligence can also be gained from past responses.

The last thing that any organization wants is to make the headlines following a security breach. The damage to their reputation can be enormous, as can the financial costs. Unfortunately, it’s not a case of if it will happen, but when it will happen. So, it is essential to have threat intelligence capable of providing a comprehensive and real-time view of the threat. Human interactions, along with automated tools that identify emerging threats for scope and impact; effect attribution to known actors, techniques, tactics and procedures; curate known threats and when? They evolve; and, provide validated indicators of compromise (IOC) which offer a higher level of threat intelligence that can be used to enact countermeasures that guard against current and future vulnerabilities and intruders.