I recently had a free-wheeling conversation with Scott Jarkoff to get his rich perspective on what threat intelligence entails, where organizations go wrong with their threat intel, what the key components of a threat intel program are, amongst others.
Ransomware attacks can have a devastating impact on organizations, their customers, and even, critical infrastructure or supply chains. In an ever-changing and ever-evolving landscape, threat intel is critical in mapping current and potential cyber-attacks. It enables one to map bad actors and their tactics. This, in turn, will help organizations to better defend and respond to cyberattacks.
Understanding Threat Intelligence
Threat intelligence focuses on the collection and analysis of information about current and potential cyberattacks that threaten the safety of an organization or its assets. It is designed to help people better understand what a threat is, what kind of attacks are taking place and what the threat landscape looks like. Threat intelligence is a proactive security measure that prevents data breaches thus protecting the organisation from financial, productivity or reputational damage. Its purpose is to give companies an in-depth understanding of the threats that pose the greatest risk to their infrastructure and tell them what they can do to protect their business.
Organisations today that don’t utilise threat intelligence are really just scratching the surface of cybersecurity. When they observe an alert, they resolve that and move on to the next one without giving a thought as to why the incident occurred. Threat intelligence contextualises the alert or attack so the organisation can better understand the threat, identify what controls need to be deployed and gain visibility into what sort of risks exist. This is the reason why it matters, it is all about being proactive and decreasing the risk of an organisation successfully being breached both now and in the future.
The core components of a threat intel program
There are three main types of threat intelligence areas – tactical, operational and strategic. Tactical being lowest point on the scale to strategic being the far more macro view of how intelligence is used in an organization.
- Tactical: This layer is all about automation. The objective of tactical intelligence is to obtain a broader perspective of threats to combat the underlying problem. It is focused on the immediate future, is technical in nature, and identifies simple indicators of compromise (IOCs). IOCs are things such as bad IP addresses, URLs, file hashes and known malicious domain names. This is the easiest type of intelligence to generate and is almost always automated. As a result, it can be found via open source and free data feeds, but it usually has a very short lifespan and can only influence day-to-day operations and events because IOCs such as malicious IPs or domain names can become obsolete in days or even hours.
- Operational: Operational intelligence is most useful for those cybersecurity professionals who work in a security operations centre (SOC) and are responsible for organisational security on a daily basis. The objective of operational intelligence is to engage in campaign tracking and actor profiling to gain a better understanding of the adversaries behind the attacks. The key components of this layer are the intelligence reports and human behaviour analysis that help SOC operators contextualise the attacks taking place and understand the mode of operation of the adversaries as well as their approach. This layer of threat intelligence offers insight, motivations, and objectives behind an attack. Some output data types from this layer could be tactics, techniques and procedures (TTP), descriptions, triggers, and patterns.
- Strategic: This layer provides an understanding of what the risk to the entire business is, here the adversaries are most likely to target the business based on the vertical and geography that they operate in as well as the mission-critical assets that they have. The objective of strategic intelligence is to inform business decisions and the processes behind them. Strategic intelligence shows how global events, foreign policies, and other long-term local and international movements can potentially impact the cyber security of an organization. Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that effectively protect their organizations and are aligned with their strategic priorities.
Where are organizations going wrong in using threat intelligence?
First and foremost, many organizations are not using threat intelligence due to limited awareness of how it can help. The biggest issue today is that we don’t see enough adoption of threat intelligence and we just see organizations relying on the alerts on their security information and event management (SIEMs) system. With today’s adversaries, that’s simply not enough. They need to enrich the SIEM with intelligence, to have a better understanding of how attacks are conducted and which adversaries are potentially going to attack. So, the lack of threat awareness is probably the biggest area where I see organizations are going wrong. Recognizing areas of highest organizational risk and matching them to relevant threat intelligence is the first step in creating a threat intelligence program that ensures the best use of resources.
Usage of threat intelligence is a journey, you start with the tactical layer, do everything in an automated fashion and then as you grow your intelligence capabilities you move up the ladder from operational to strategic.
Improper implementation of threat intelligence and secondly, trying to dive in to deep too quick also impacts the organisation adversely. If an organization has limited resources, diving into the operational or strategic layer immediately may not be the right move because the resources won’t be in place to execute or act on the intelligence. This causes failures for the organisation in terms of threat detection and incident response.
Organizations today are not recognizing that threat intelligence is designed to be used by the entire organization as a holistic product and not just the responsibility of a specific team such as the intelligence team or the security operations team. It is meant to be used by everyone starting from the C-suite executives getting intelligence on what the risk to the business is and even the vulnerability management team understanding what adversaries are targeting the business and what vulnerabilities those adversaries are trying to exploit in those attacks. Partial adoption and implementation of threat intelligence should be avoided at all costs.
Steps required to make Threat Intel an effective part of cybersecurity
Today’s security professionals recognize that threat intelligence is a critical component in their cyber toolkit, enabling them to proactively respond and pre-empt advanced threats. Yet many of these professionals are having a difficult time understanding the array of threat intelligence solutions available and how to best utilize them within their organizations.
Organizations can start with the tactical layer with automation at first and integrate the threat intelligence program within their existing investments. For example, CrowdStrike has a technical add on for Splunk that allows CrowdStrike customers to periodically retrieve Intelligence Indicator data from the CrowdStrike Intel Indicator API and ingest that data into their Splunk Environment. This enables organizations to leverage CrowdStrike’s industry-leading intelligence to provide proper security context to the rest of their machine data. So threat intelligence can be deployed quite easily at a tactical layer with automation with existing integrations. In the operational part of implementing threat intelligence, experienced personnel are required to effectively make use of intelligence and to understand how to contextualize it. This is a people and process-driven deployment.
To effectively use the intelligence at the operational layer it requires the right people with relevant skill sets to consume and grasp the intelligence reports on how adversaries conduct the attacks. Also, there needs to be processed in place for sharing intelligence with the right stakeholders across the organization so that they are aware of potential issues and adversaries that need to be fixed.
Here are some steps required to make threat intelligence an effective part of cybersecurity:
- Key stakeholders need to be informed of the latest threats and the impact on the business
- Members from the security team and other security related teams should be aware of the bad actors, their attack methods and procedures, their motives, and potential threats and vulnerabilities the organisation is exposed to
- All relevant team members should help and cooperate with the security team to proactively tackle future cyber-attacks
- The entire organisation should assist the security operations teams to triage cyber-attacks, risk analysis, vulnerability management, and wide-scope decision making
Contextualizing threat intelligence
Threat Intelligence is a key component of CrowdStrike’s effective approach. Organizations must have consumable intelligence so that they can understand the adversary, learn from attacks and take action on indicators to improve their overall defences.
Contextualizing threat intelligence is to understand how the adversaries conduct attacks. For example, to give the notion of how ransomware attacks occur, it starts with an adversary performing some level of credential harvesting. So, those credentials can be harvested in an automated fashion and then are sold to criminals/attackers on the dark web. These adversaries are looking to deploy ransomware in that targeted environment. That is one way of how the attack sequence begins. The other way is spear phishing where the adversary crafts an email with an alert that has malware e.g. Emotet on it. Emotet has made a strong comeback in the last couple of months even though the malware disappeared in the majority of 2021. These are two different ways a vulnerability could potentially get into an organization. If Emotet is the way an adversary gained access into an organization, it can then be used to deploy a banking trojan, so something as dangerous as Trickbot.
Emotet is trojan from an adversary that CrowdStrike tracks called Mummy Spider, Trickbot is used by an adversary that CrowdStrike tracks called Wizard Spider, the most prolific eCrime adversary on the planet today. Once Trickbot is on the system, then the adversary can move laterally around the network, this is where the threat actors are looking for mission-critical data, they are going to steal the data once they find it, exfiltrate it and potentially use that in an extortion scheme. Once they finish exfiltrating data, they will deploy ransomware enterprise-wide, like Conti Ransomware by Wizard Spider.
Now the entire organization is locked up and disrupted, they are now faced with an unfortunate situation of deciding whether or not pay the ransom. If they pay the ransom, they might get the data back, but if they don’t pay the ransom, then the extortion scheme comes into play and the adversary is going to release that data online. This is an example of how an adversary conducts an attack. Particularly in reference to eCrime, it is often not just one adversary that’s conducting an entire attack, there are potentially three or four different adversaries involved.
Robust preparation and strategic thinking is instrumental in reducing risk, and organizations must integrate a managed threat hunting program to help stop sophisticated threats before they turn into breaches whilst also educating employees on how to be security conscious.
Best practices and Potential pitfalls in Threat Intel
Organizations that are successful with threat intelligence today can collect data about threats on a global scale and vet them against their internal systems and security controls. These organizations are taking all of that information and funnelling it into their intelligence program, converting data to security intelligence and then taking the right action.
Some of the best practices of threat intelligence are:
- Continuous monitoring of threat activities: Organisations need to collect threat intelligence continuously so that the IT and security teams stay up to date on potential threats and can adopt a more proactive approach.
- Take it slow: The best practice is taking the threat intelligence program slow and making sure that you are only consuming intelligence at the speed at which your organization is capable of consuming it. Don’t go too fast, otherwise, it is going to potentially cause unnecessary disruptions.
- Create an incident response plan: After successful identification of a threat and based on intelligence, organisations need to build an incident response plan and it should be included in the threat intelligence program to clearly defining the next steps to be taken to mitigate threats.
- Automation of threat intelligence implementation: Automating threat intelligence allows efficient scrutiny of data accurately, which helps the IT and security teams focus on higher priority tasks and determine the most appropriate response to the intelligence information that is gathered.
Some potential pitfalls in threat intelligence are:
- Unintentional blocking of own operations: While watching out for indicators of compromise, organisations can cause their own denial of service due to blocking of essential services and operations by mistake.
- Improper or Incomplete usage of threat intelligence: A danger with threat intelligence is that organisations gather intelligence but don’t know how to use it properly. Some security teams will base moves on bad intelligence; others risk-shifting their focus from one threat to another every day, based on news stories, and they won’t ever build a comprehensive program. The danger is it could result in a bad response to a real threat. It could also lead to a false sense of security from intelligence indicating that no threat exists when one does, and otherwise being lulled into the poor or ill-informed deployment of security resources. Another pitfall is when organisations don’t act upon the intelligence they receive.
- Employees’ expectation of zero attacks: Improper or underutilization of threat intelligence could result in a breach of security and occurrence of attacks, for which the employees are unprepared.
Crowdstrike’s Threat Intel Support for Organizations
At CrowdStrike, we support threat intelligence by offering prebuilt integrations and API access to our award-winning threat intelligence module, CrowdStrike Falcon X™. Falcon X helps organizations easily consume intelligence, take action, and maximize the impact of their intelligence investment. It provides context-enriched IOCs, threat reports, malware sandboxing, attribution and searchable malware repository.
CrowdStrike also offers integrations with industry-leading TIP vendors like ThreatQuotient, ThreatConnect and Anomali delivering actionable insights into the top threat actors, attack vectors and threat intelligence trends. The CrowdStrike Security Cloud correlates trillions of security events each day collected from millions of endpoints and cloud workloads around the globe. Using a combination of artificial intelligence as well as expert-driven human analysis, millions of real-time IOCs and thousands of intelligence reports are delivered to our customers annually.