How to Use Threat Intelligence to Combat Targeted Attacks
Written by Alex Vakulov
Threat Intelligence (TI) is one of the most complex and, at the same time, important elements of information security. Threat Intelligence collects information about hacker groups, their techniques and tactics. It provides threat prediction, helps detect attacks, and supplies valuable data to all teams and members working with the information security ecosystem.
Like any other element of the information security system, TI uses its own tools and services. Competent usage of these tools helps to build an effective process for obtaining vital security information.
What is Threat Intelligence?
The term Threat Intelligence directly indicates that the purpose of this area of information security is to collect knowledge about threats and analyze them. SANS Institute provides the following definition: "The analysis of an adversary's intent, opportunity, and capability to do harm is known as Cyber Threat Intelligence."
TI is understood as a combination of two elements:
- The process of obtaining and accumulating knowledge about threats from various sources.
- The availability of a platform that allows you to aggregate, analyze, and use the accumulated knowledge.
Who needs Threat Intelligence and why?
The emergence of TI in companies occurs much earlier than the launch of the TI platform. Prior to this, companies collect information about existing threats and monitor traffic. In fact, the initial elements of TI are available in almost every company where information security is given due attention.
TI can be viewed as a set of specific knowledge and skills. TI knowledge and skills reflect the level of information security maturity achieved by the company.
The basic level of TI is formed by reading and analyzing vendor and industry reports. This information helps companies increase their expertise in order to start building the necessary processes later. After that, the value of the collected TI information increases significantly. This knowledge is accumulated and then implemented in the information security infrastructure and helps protect against attacks.
At the same time, it should be remembered that TI vendors and their customers approach Threat Intelligence differently. Vendors create TI solutions as part of their own development of protection tools. Vendors try to create the best detection methods and threat feeds in order to offer an integrated commercial product. The customer’s view is slightly different. The customer attempts to embrace TI primarily at a strategic level asking questions like: what threats does TI help protect against and what cyber risks can it cover? Therefore, the maturity of information security in the company is crucial here. To answer these questions, the company must mature in terms of its security processes.
Threat Intelligence levels: strategic, operational, tactical
In information security, TI is considered a system of three levels: strategic, operational, and tactical. Each of them has its own "customer," uses certain tools, and affects the operation of the company's information security system in different ways.
- The strategic level refers to the collection and usage of information about current attack trends, risks, and hacker groups that are involved in attacks against related companies or industries. The collected information allows you to assess what is happening in the information security world as a whole and learn about current threats circulating in specific regions. The strategic level enables you to assess, set priorities, and develop relevant information security competencies in the company.
- The operational level usually covers everything related to the tactics and techniques used by malefactors. MITER ATT&CK matrix is a very popular source of such information. It provides detailed information about how attackers infiltrate systems. Operational-level data allows you to properly allocate finances and human resources when building an enterprise protection system. The operational level allows you to understand what needs to be done to protect against external threats in a given region or industry.
- The tactical level of TI reflects technical information about certain groups of intruders. This information allows you to identify attack signs and indicators and detect threats the company may face.
What do customers expect from Threat Intelligence tools?
As already mentioned, the degree of IT implementation in the company strongly depends on the level of maturity of information security processes. Usually, customers want to buy feeds (sets of threat indicators) and build a cybersecurity ecosystem based on these feeds. This is a purely technical implementation of TI.
There is a misconception that connecting feeds solves all TI tasks. When indicators are triggered, you always need to understand what exactly happened. It is necessary to understand what the detected malware actually does in the company's infrastructure. This requires additional information and analysis. This will help your information security team plan the next steps. This is already the operational level of Threat Intelligence.
At the same time, the developer of a TI solution cannot sell Threat Intelligence to the customer by levels. Such products may be divided into parts, but the division principles will differ. They can be divided by type of threat, but the supplied solution always contains tools for all three levels of Threat Intelligence - strategic, operational, and tactical.
It should be noted that TI systems are not cheap, and many customers cannot afford them. If the customer is not yet fully prepared or does not have enough funds to implement the TI service, then it is strategically wrong (from the provider's point of view) to completely refuse to provide this service. If the customer came to the seller, then he had a need. You can offer him a test trial period, use specific or free feeds. After some time, the customer will decide what to do.
Experience shows that TI products are bought by a wide variety of companies. The need to build a reliable defense arises already at the stage of starting a business. At this moment, various bad actors and opponents are already active. Therefore, companies should identify threats, install protection tools, take care of backups, formulate various policies, and so on. There is no getting away from this, regardless of the size of the campaign or its location.
Currently, TI solutions are rapidly gaining popularity among small businesses. Their difference from big business is that they have their own threats. The probability of encountering an attack by a strong APT group is low for them, although such cases do occur. However, small companies must protect themselves from hacking and DDoS. Therefore, they also need to install the appropriate feeds.
Threat Hunting and Threat Intelligence
The presence of TI is an essential element of the proactive threat search - Threat Hunting. The Threat Hunting team is responsible for detecting traces of hacking or malware functioning. TI acts as an information donor for Threat Hunting at the operational level.
Threat Hunting and Threat Intelligence are directly related. When a company has intelligence in the context of an incident (and even in the absence of one), it helps to find the right indicators and attack signs on breached devices. Threat Hunting then establishes control through its indicators and list of controlled attacks.
Strategic-level Threat Intelligence reports
Many vendors of TI solutions periodically issue reports reflecting statistics for the previous period and giving a forecast for the following year. These reports are of a strategic nature for companies.
The most important thing in these reports is to tell customers how to regroup, what areas to focus on, and how to develop their competencies to confidently withstand the attacks that are expected in the future. If companies do not have their own Threat Intelligence, then they have no other sources of information that they can use to navigate the trends in information security except for such reports.
At the same time, these reports also carry marketing material. It is important to separate these components: live threat statistics and analytics vs. marketing.
The practice of applying Threat Intelligence
Currently, there are several hundred free sources of TI information of a purely technical nature. If you take TTP (tactics, techniques, and procedures), then you can find up to one hundred additional sources in the public domain. If we take strategic reports, then there are about twenty vendors that provide this info. These are only free sources, excluding paid ones. Most customers are unable to process such a volume of information independently.
The problem is that currently, there is no "gold" TI vendor whose product can cover all emerging tasks. Besides, each company has its own needs.
According to the SANS Institute survey, in 2021, more than 80% of respondents used several sources of TI information simultaneously. In reality, many companies use up to eight sources of TI. Everything depends on the budget and the protection “profit” received.
It is important to remember that open-source data helps repel only mass threats. If it comes to withstanding complex targeted attacks, then it is necessary to move to the operational level. Data on complex targeted threats is not easy to find, analyze, and link together. Such attacks require painstaking research.
Today, TI started to be implemented in order to improve the work of the Incident Response team. The presence of such teams is highly desirable when implementing TI. It is the acceleration of their work that ensures the effectiveness of protection. Success here largely depends on how quickly the company can understand which hacking group it has encountered, what the attacking party has already managed to do, and how deeply it penetrated the company. TI can provide this vital information.
The qualifications of customers have noticeably increased recently. I would like to mention banks as an example. They are now interested in comprehensive information on hacker groups that target financial institutions. Customers want to know the sources of attacks, the tactics hackers use. They need to understand what intelligence data is available about a specific hacker group and how to separate that data from the entire flow of information being collected. As a result, banks buy all TI platforms available on the market in a row, analyze the information and find suitable solutions themselves.
The efficiency of using Threat Intelligence tools
The effectiveness of TI can be evaluated at different levels. If we evaluate TI at a strategic level, then only time can show the effectiveness of its implementation. Over time comes an understanding of the correctness of the chosen decision, risk assessment, and built-in protection. At the strategic level, not only technical details should be evaluated, but also various geopolitical processes, such as hacktivism or wars. You can quickly become the next target if you do not take these processes into account.
At the operational level, the evaluation of the effectiveness of TI is expressed in the correctness of the built protection. At first glance, it might seem that if nothing happened, the efforts to implement TI were in vain. But that is not the case. It may also indicate that the choice of spheres of control has been narrowed. The TI system simply does not see what is happening nearby. Therefore, the assessment of the effectiveness of implementation will always be individual for a particular company. Only time can confirm the correctness of the chosen solution.
Threat Intelligence development forecasts
Based on current trends, it is clear that TI will develop along the path of increasing the strategic and operational levels within the company. This will lead to the closer integration of customers and vendors of TI solutions. Customers will analyze data on their side, ask questions more actively, and help move the industry forward. Thanks to this interaction, TI maturity will grow on the side of both the vendor and customers. In general, TI is moving toward integration with other security solutions and products. TI is expected to become a part of larger, integrated platforms in the future.
About the Author
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.