Threat intelligence is often associated with the data that powers standard security technologies such as firewalls, antivirus, and filtering, the provision of dedicated threat intelligence offers much more.
To understand what dedicated threat intelligence involves, as well as some of the collaboration challenges that come with distributing threat intelligence amongst specialised security teams, we spoke to ThreatQuotient APJC regional director Anthony Stitt. ThreatQuotient is a security firm that specialises in threat intelligence services for organisations worldwide.
Threat intelligence: A growing market
“Threat intelligence is coming from everywhere, and it is very democratised. There are specialist vendors who produce it, and the Australian Government has even been doing some things in this space, particularly on the state and federal government initiatives collect and share intelligence,” notes Stitt.
He believes there's a shift in thinking about threat intelligence, how it gets used and how it gets managed, particularly as security teams seek a sharper relevance to their own organisations and sectors.
Stitt says that actionability is a key problem for threat programs because it takes time for analysts to sift through masses of information to find relevance. But there's a temporal problem: Do organisations focus on comprehensive, delayed intelligence and risk attacks, or immediate intelligence without context?
“In the background, analysts are investigating adversaries and their behaviour. A lot of intelligence has been researched prior to being published, which means there is often a delay, sometimes of up to a month or more, while it is being prepared and validated.
“The longer the preparation time, the more context and information is likely to come with the intelligence, but any given organisation might be at risk during this gap period.
“At the other end of the spectrum, some intelligence services release threat intelligence incredibly quickly - almost in real-time - yet it often lacks context. The context is generally what analysts use to determine the priority and what to do with it.
Stitt says there are two equally important aspects about actioning priority intelligence: The first is to block future attacks; the second is to detect previously successful attacks that you didn't detect at the time they happened.
“This second aspect is extremely difficult without a threat intelligence platform to store and score intelligence over a long timescale, and correlate it with historical event data from the environment.
He adds that most intelligence comes with different tags, identifiers, attributes, ratings and priorities, yet every source refers to these in different ways. This is where a Threat Intelligence Platform (TIP) can help by normalising threat intelligence.
Stitt explains, “A TIP can filter and rank threat data using parameters like your organisation's geography, industry, the type of intelligence, where it came from, and a range of other contextual relationships."
“This prioritises all incoming intelligence so analysts know where to start first, and typically gets rid of noise by more than 99%, which allows organisations to focus on taking action where required.
The evidence board: Threat intelligence collaboration in remote environments
Security teams must protect their corporate networks and employees' remote networks from all different kinds of threats. How difficult is this task given that everyone, including the security team, now working from home?
While security teams and those in security operations centres (SOCs) may have experience working remotely, some tools sit in inherently protected environments that cannot be accessed remotely.
“There has also been a challenge in terms of how security staff work and collaborate. Normally in an office, someone would be able to lean over and talk to the person at the next desk for immediate feedback. If you're not doing that in a physical environment, you end up relying on tools that don't always foster collaboration.
That challenge is one of many that led ThreatQuotient to design a ‘virtual cybersecurity situation room', which essentially houses threat intelligence data.
“Security teams are getting larger and more specialised over time, leading to segmentation into different groups, different teams, and more siloing. For example, there may be separate groups for security monitoring and threat intelligence, vulnerability assessments and risk – they'll all be using their own tools and platforms.
Stitt says that siloed teams have the common goal of defending their organisation but siloes inevitably come with communication and information gaps.
To explain the difference between whole-of-group collaboration and siloed teams, Stitt uses the analogy of ‘evidence boards' in crime TV shows, where investigators gather around the evidence to work out the details of a crime.
“The question we asked was, ‘how does that happen in a cyber threat environment'? We wanted an evidence board so that different teams can virtually come together and visually work on the same goal, like working out the pieces of a breach or crime.
Such a platform is well suited to a distributed workforce, because everybody collaborates in the same space, solving the issue of siloed and remote teams.
A single, virtual collaborative environment can also offer the ability for security teams to actively share learnings or directly communicate with each other; divvy up tasks to focus on response and understand the required actions to be taken by others; and manage security teams effectively by assign tasks to individuals, coordinate tasks between teams, and monitor results.
“The key thing that businesses need to think about as they grow and get more specialised is how they use methods and tools to coordinate teams. Even small communication gaps are potential avenues that attackers can use because there will likely be lapses in security coverage,” Stitt says.
With threat intelligence and dedicated virtual cybersecurity situation rooms to bring security teams together, communication gaps and any resulting cyber attacks have one less opportunity to create chaos.