sb-eu logo
Story image

Leveraging cyber threat intelligence to benefit security posture

07 May 2019

Over the last year, cyber threat intelligence (CTI) community has been growing and diversifying; as a result, the way threat intelligence is being used has also evolved. However, a survey conducted by SANS, sponsored by ThreatQuotient, recently revealed that 1 out of 5 companies are still unsure of CTI’s value to their organisation.

CTI analyses information about the intent, capabilities and opportunities of adversaries in cyberspace. It is a valuable resource for organisations and individuals serving in roles that require preparation for the wide range of threats that their organisation is facing. To help organisations realise the value of CTI, here is a list of benefits this resource can bring:

Tracking threat behaviours

Security organisations tend to consider intelligence as an indicator feed. They’re not wrong, but CTI can offer so much more value than that. Not only does it help to enrich alerts with technical details about specific attacks and campaigns, it is also a source of information around threat behaviours and adversary TTPs.

Encouragingly, 27% of the SANS survey’s respondents perceived this as the greatest value to their threat detection and response. As organisations become more familiar with threat behaviours, adversary TTPs and how to leverage them, these figures will certainly continue to rise. 

Another way to leverage CTI is to classify and share adversary behaviours across organisations, for example through utilising a framework like MITRE ATTA&CK. These frameworks help organisations to track the types of threat behaviours that are active within their industry, allows them to have a better collaboration process and subsequentially prioritise actions that must be undertaken across architecture, security operation and response functions.

Identify digital footprint or attack surface identification

Organisations can also take advantage of this intelligence by identifying digital footprint or attack surface identification. This means that they are able to have a clear overview of all their external assets accessible from the internet, as well as assets that can be attacked and compromised by attackers.

Eventually, being aware of these, combined with adversary TTPs, helps prioritise which threats and/or vulnerabilities should be taken care of.
It comes as no surprise therefore that 81% organisations have seen their security and response improve since they started producing or leveraging CTI.

For those organisations who are unsure about the impact of CTI on their security and response, they should consider, and measure, the average resolution time of security incidents when CTI analysts participate and compare to those times to when they didn’t. This would help them to appreciate how much it has enriched the understanding of security incidents and response but also the process, allowing to resolve issues quicker.

Find a sharing partnership that will benefit your organisation

In recent years, there has been growing interest in collaborating and sharing information amongst security teams. As a result of this trend, multiple solutions have emerged providing organisations with the right tools to tackle cyber threats such as threat library, endpoint detection and penetration testing.

Beyond the data being shared, information sharing programmes have a wide range of benefits. From point-of-contacts to advocacy for security and best practices, participating in an information-sharing group provides a secure and confidential environment for organisations to increase situational awareness and reduce the impact on organisations.

Collaborate with governments and ISACs

We mention collaboration above, and CTI shows even more value as it isn’t limited to the private sector.  Indeed, security teams also have the opportunity to share their intelligence and collaborate with their peers in the government and other public entities.

Collaboration with the latter can be done through an Information Sharing and Analysis Centre (ISAC) - a non-profit organisation providing a central resource to gather information related to cyber threats to critical infrastructure. Such centre is based on a two-way sharing of information between the private and public sector.

Surprisingly, the SANS survey revealed that this smart way to make the most of the intelligence and better defend against threat has only seduced 40% of organisations. The biggest value propositions of CTI coming from governments and ISACs perceived by these were the timely and relevant threat information, points of contact at member organisations and advocacy in the community for security.

If ISACs enable a development of the expertise around threat intelligence, governments are in a good position too to bring the community together and support collaboration across industries; and organisations seem to be more reliant on it with 51% of the SANS survey’s participants taking advantage of this data source.

A growing interest from the public sector

Whilst sources of government CTI are multiplying, only half of the community is actually taking advantage of it. Yet, governments have matured their own understanding of private sector cyber threats over the last years. They can now give additional context and track adversary behaviours including their tactics, techniques and procedures (TTPs), and don’t have to only rely on indicators of compromise (IoCs) anymore.

The problem with IoCs is that they gained lot of attention on the market even though they simply indicate computer intrusions. In a nutshell, they tend to be too generic to provide long-term and strategic intelligence value.
These are only few benefits organisations can get by leveraging CTI, but as the intelligence is growing to include TTPs, threat behaviours, attack surface awareness and strategic assessments, so is the maturity of the CTI process itself.  

Organisations are increasingly developing intelligence requirements, producing, consuming and sharing intelligence. Moving forward as a community, information sharing is the key to benefit organisations’ security posture. 

Story image
11 new orgs join fight against insidious Stalkerware
Founded last year, the Coalition Against Stalkerware brings together cybersecurity vendors, domestic violence organisations, and digital rights advocates.More
Story image
FireEye unveils Cloudvisory: A multicloud security control centre
FireEye has announced the availability of FireEye Cloudvisory - a control centre for cloud security management across any private, public or hybrid security environment.More
Story image
Five wine-tasting tips that should be applied to network security
What does network visibility really mean? Much like a blind wine tasting, we need to keep an open mind and trust what data is telling us without being biased by previous results.More
Story image
ExtraHop brings SaaS network detection and response solution to market
"Reveal(x) 360 is the culmination of a multi-year R&D investment to secure data centre, remote sites, and cloud workloads with frictionless deployment and actionable insights that can be securely accessed from anywhere.”More
Story image
Months on, many organisations still don't have secure remote access - report
The report analyses the extent to which businesses were prepared for the sudden shift into remote working due to COVID-19 restrictions, and analyses how organisations have adjusted to support remote workers amidst the COVID-19 pandemic. More
Story image
Google most popular brand to impersonate in phishing campaigns - report
A new report from Barracuda released today shows 100,000 attacks impersonating reputable brands, with 65% of this figure using Google as a masquerade.More