How To Understand Impact Through Asset Management and Threat Intelligence, Part 1

Originally published by Axonius.

Written by Katie Teitler, Axonius.

Cyber attack surface sprawl has become a top concern — and risk factor — for enterprise organizations. Even before the early 2020 mass exodus out of corporate offices, the proliferation of devices and device types touching corporate networks and corporate-used infrastructure (a.k.a. cloud infrastructure), SaaS applications, and cloud-based services was exponential.

Once remote work took hold, the introduction of new, often unmanaged devices presented an even greater challenge to IT and security teams rushing to gain governance over these assets.

Now, in yet another new era, hybrid work is bringing additional cyber risk. Much of this risk is predicated on the assets organizations must monitor and manage.

In addition, the threatscape is also growing — cyber adversaries are more active than ever, taking advantage of political, environmental, and societal circumstances to launch attacks against people and the organizations for which they work.

To manage cyber risk, security leaders invest in threat intelligence and asset management. These tools and processes are foundational to understanding true risk. From an external perspective, organizations need to understand threat actors’ go-to attack tactics and vectors, active exploits and vulnerabilities, and any potential threat signals that may directly impact their organization. From an internal perspective, security teams must understand their weaknesses in systems and processes and have a way to prioritize remediation. All of this is easier said than done, but relies significantly on knowledge of what tools, technologies, and processes comprise the equation — something we’re calling “asset intelligence,” a process and technique that can significantly impact an organization’s risk posture.

In this multi-part blog series, we’ll explain how to use asset management and threat intelligence effectively, and share why asset intelligence, a term not yet well known, is critical to managing assets and, ultimately, risk.

What is Asset Intelligence?

If “asset intelligence” sounds like a mashup, hybrid term, or an attempt at bringing together two unassociated-but-related topics, that’s because it is. Merging “asset management” and “threat intelligence” gives us “asset intelligence.” (N.B., “Threat management is already its own category, and it’s also an outcome of good asset intelligence, among other inputs, predicated on security assessment and asset hygiene.) But what does “asset intelligence” mean?

A cyber “asset'' is anything in the networking realm: hardware, devices, components, peripherals, software, firmware, networks (cloud, on-prem, virtual), networking equipment, data, data stores, containers, and the users or processes using all of the aforementioned. Importantly, all of these assets must be capable of communicating via digital protocols (which therefore makes them subject to cyber attack). This fact also means that the definition of “asset” could reasonably include the channels/protocols over and from which hardware/software/services/etc. Communicate — IP and Mac addresses, TCP/IP, DNS, and other network protocols.

The definition of “threat intelligence” is equally murky, depending on which source is doing the defining. Nonetheless, most experts agree that “threat intelligence” starts with the data gleaned from an organization's internal networks, and is combined with external data about threat actors, their motivations, and tactics; known vulnerabilities; active exploits; communication channels; and more. But data, alone, is not threat intelligence.

To turn “data” into “intelligence,” it must include context about what is happening and relevancy to the organization analyzing the data. For instance, a vulnerability may receive a critical Common Vulnerabilities and Exposures (CVE) rating based on the fact that the hardware or software it affects is widely deployed and could lead to serious business disruption. Yet, if an organization does not use or own the impacted asset type in its environment, the real-world criticality to that particular organization is low. Further, if a targeted asset for this threat is properly segmented, the data stored in the asset is properly encrypted, or access controls are sufficiently hardened, the damage potential decreases — all based on the context of the environment.

Threat intelligence, therefore, can be summarized as contextualized and enriched data about internal systems and external factors, combined with an understanding of the attack surface, which is an amalgamation of an organization’s network environment (i.e., assets and architecture).

Cyber asset intelligence is a subcategory of threat intelligence that focuses on the vulnerabilities, security gaps, and implemented or missing policies for all assets present in the network environment (which forms the attack surface). Asset intelligence depends on:

• Complete and up-to-date visibility of all assets in the network environment
• Understanding of any vulnerabilities in and threats to those assets
• Knowledge of the interconnections, dependencies, and relationships between assets

While some security practitioners may posit that cyber asset intelligence and asset management are one and the same, effective cyber asset management relies on an organization having the intelligence for its assets to be able to manage them, to prevent threats from disrupting a business, and to rapidly mitigate the threat if it penetrates the network environment by pinpointing the issue.

In other words, cyber asset intelligence is critical to asset management. And without reliable, actionable threat intelligence, organization’s cannot properly assess asset-based threats. Asset intelligence is always actionable — it’s timely, provides context, and can be understood by business decision makers so they can effectively manage cyber and business risk.