Threat intelligence crucial, but isn’t one-size-fits-all

Criminal and state-sponsored hacking groups are increasingly choosing targets that will have the greatest impact on governments and the public. Breaches at government contractor Capita, the Royal Mail, and Denmark’s central bank over the last several months show how any organisation can be a target, meaning security teams must be on constant watch to protect their own interests.

It’s no surprise that security efforts at a bare minimum need to be dedicated to the basics. But incorporating threat intelligence and effectively applying it while undertaking these proactive measures can take an organisation’s security posture to the next level. The data it provides can be invaluable, as demonstrated in the immediate aftermath of the SolarWinds hack, when information was being distributed rapidly to inform organisations of how deep their exposure was. But there are challenges that must be addressed before threat intelligence can be effectively utilised by organisations to keep threat actors at bay.

Proactive risk mitigation in a changing threatscape

When used in the right way, threat intelligence can reduce risk by blocking known indicators of compromise. Firewalls and web filtering services play a role at an organisation level, but they can only do so much. If you want to have the assurance of protection at scale and to gather essential threat intelligence from data, more robust solutions, like Protective DNS services, could provide that confidence and insight that ensures organisations are defended but also have the information they need to detect and respond. 

National cyber authorities like the National Cyber Security Centre (NCSC) in the UK and Cybersecurity and Infrastructure Security Agency (CISA) in the US operate quickly and effectively to disseminate threat intelligence for public consumption. These agencies issue regular updates and urgent alerts to warn of threat actor activities and vulnerabilities that have been exploited, as well as sharing information on IoC's and APTs behind the scenes amongst partners. It is the responsibility of organisations to heed these warnings when they’re presented and quickly factor this information into their own security systems to ensure they’re up to date. When external data sources and insights such as these are combined with threat intelligence from an organisation's internal data to understand their own threat landscape, it helps build a picture of the biggest risks so the right mitigations can be implemented.

Understanding the issue

Many associate threat intelligence with threat feeds, which are essentially just a stream of data of variable quality. Those feeds may not be relevant to an organisation’s sector, region or threat model, so to effectively use threat intelligence there needs to be a clear understanding of what that organisation’s intelligence goals are. One common issue is the fact that this is often a multi-stakeholder decision. In some organisations that can create a bottleneck, while in others the relevant stakeholders may not have enough of an understanding of the security landscape to make an informed decision. 

If the key figures of an organisation aren’t fully aware of the potential security threats, it makes it difficult to properly tailor a cyber strategy capable of defending against those threats. By failing to prioritise the appropriate threats and attempting to defend against everything all at once, an organisation risks becoming ineffective in all areas of cyber defence rather than expert in the areas posing the biggest threats. Reading up on the latest threat reports and briefings is an easy way to be up to date on the threat landscape. Carrying out regular threat assessments as an organisation and analysing their outputs is an effective way to help get everyone on the same page. Collaboration and information sharing with industry peers can also be incredibly helpful in staying on the front foot as threat actors will often target multiple organisations within the same industry using similar techniques.

Dealing with information overload

Once the goals are understood, the next step is to source the appropriate data to meet them. Too much data or low-quality data are often the biggest enemies of a threat intelligence team. Incident response teams often get overloaded with alerts being triggered by that intelligence with no way of prioritising, which leads to some alerts just being ignored. This is where categorisation is needed to counteract information overload. To overcome this, it’s important to agree on intelligence goals and then find threat intelligence sources that are aligned with them. 

Organisations should assess their data and only bring in data that is of high quality and is aligned with their goals. They can also choose to use filtering to only raise alerts for specific indicators or types of threats that match their biggest risks. Other alerts can still be logged, but by ensuring security teams focus on the biggest risks, organisations can reduce the risk of information overload. When implemented correctly, cyber security tools such as Security Information Event Management (SIEM) can be very useful, but if they are implemented poorly or not managed properly, then they can become another overhead that makes it difficult to pick out the real threats from the noise.

Threat actors are constantly upgrading their tactics and threat intelligence is a key component in enabling organisations to stay one step ahead. As cyber attacks continue to make headlines, threat intelligence becomes increasingly important for security teams to utilise if they wish to have the best gameplan possible to protect their systems. Taking quick note of and implementing necessary actions from threat warnings, having a full understanding of the threats, and cutting through the wealth of data to utilise the most relevant information are just a few of the factors that organisations should focus on when implementing threat intelligence properly. Regardless of approach, keeping up to date with the threat landscape is vital as hackers continue to up the ante with the targets they strike.