The cyber industry is certainly excited by CTI, and I don’t want to make any predictions on whether the excitement will blow over any time soon. The Threat Intelligence approach, does provide some hope, yes hope, of lessening a really difficult issue of knowing what to trust and what not to trust on the Internet. Even slowing down malevolent Internet based threats should be treated as a success. Is that the whole picture though, what business problem does CTI solve?
I’m not planning to run through all of the potential impact that stem from cybercriminals, hacktivists, nation states, malicious insiders and careless users, other than to say that recent history demonstrates that the impacts from these threat actors can be significant. In fact, they can send businesses out of business. The accessibility and prevalence of hacking tools, malware, bots, darknets and hacking services for hire, should help to crystallise these risks.
So CTI provides the promise of:
- Prevention – by pre-emptively blocking attacks from hitting and hurting your organisation. Prevention is achieved through the ingestion of CTI feeds within existing security infrastructure such as firewalls, IPS and SIEM and configuration of automated responses based on pre-set rules.
- Increasing visibility – of emerging threats that could be an issue now or in the future. Increased visibility can be delivered via simple manual searches conducted by an analyst within a CTI platform.
- Detection and reaction – to compromises that are happening now. Detection and reaction can be a combination of both methods, coupled with intervention or as part of an integrated incident response process.
CTI can help to more fully inform the risk assessment process by providing real time actionable intelligence about the types of threats that are relevant to an organisation and the frequency and severity of these threats. Information on threat actors, frequency and severity of threats are vital inputs into the risk assessment process.
At a very high level, there are three broad categories of CTI available within the market at the moment. the differences could be the subject of a separate series of articles, so this high level view is anything but comprehensive. The three broad categories are:
- Open Source CTI – provides some pretty handy threat intelligence data, but like all open source efforts, it relies on community involvement and may lack the necessary contextual information that makes CTI actionable for specific organisations and sectors. There may be a lot of noise to be sifted within the data to derive truly useful intelligence.
- Vendor Provided CTI – has the advantage of providing more contextual data. Many vendors have sharing arrangements in place and their own research and analysis teams that leverage these sharing arrangements and the open source feeds available. They also draw from their client community. You do need to be a little careful in selecting vendors, as some draw heavily from open source information only. The only real advantage that you get here is the convenience of not having to collect and sift available open source information yourself.
- CTI Vendor solutions – have the benefit of generally being the sole commercial focus of these CTI vendors. CTI vendors have their own research and analysis teams, leverage other feeds and often possess big data driven infrastructure to contextualise the intelligence. Such feeds can be very granular and can stem from application intelligence and social media. As a consequence, these vendors can provide flexible and highly customised CTI feeds to clients.
Additionally, CTI feeds can be produced by internal systems within an organisation, via Government entities or independent groups such as the Internet Storm Centre within SANS. Irrespective of whether you chose to deploy open source , vendor bundled, or stand-alone commercial CTI vendor solutions, other benefits can be delivered by a CTI approach. One important potential improvement delivered by dedicated threat intelligence equipment (CTI appliance) is the freeing up of other technology resources and traditional tools to operate more efficiently. Reducing the load on your existing security stack, in particular firewalls and IDS/IPS, which can potentially extend the working life of your infrastructure and hence save money. For appliance based CTI that sits in front of existing security infrastructure, whereby CTI can identify threats before reaching firewalls and IDS/IPS, then configuration complexity and processing loads on these technologies can be reduced. Dynamically blocking is happening, but the reality is that people need to invest time in support of CTI. Without smart people constantly tuning, then you run the risk of blocking legitimate traffic or wasting your money on the investment.
The promise of Threat Intelligence is that it will increase your agility of response, guiding your operational security decisions and optimising the efficiency of your existing security stack. The Ultimate aim being to reduce the number of annual security incidents.