Decoding threat intelligence

There is a scene in HBO's adaption of Game of Thrones where a character counsels the king to dismiss the rising power of one of his rivals because "curiosities on the far side of the world" are no threat. A season later, that rival has three dragons and an army under her control.


[Information overload: Finding signals in the noise]

In my travels and meeting with 400 CISOs a year, I find there is much confusion around threat intelligence. Many that need it do not have the foundational elements and maturity to consume the information to make it actionable. It's critical to know what intelligence is, what kind you need, and how to build the organization to consume it.

Understanding the nature of the threats to your enterprise may not involve swords and dragons, but one mistake can have dire consequences. It is for this reason the words "threat intelligence" have become associated with a growing number of security products and services.

The overuse of this term by vendors has caused its share of confusion in the marketplace. What is certain, however, is that identifying threat intelligence that is relevant to your business and applying it correctly can help you strengthen the security of your IT network.

So, let's start at the beginning and try to define some basics.

For starters, threat intelligence can be divided into three buckets: informational, reactive and predictive.

Informational threat intelligence includes data such as software vulnerabilities and threat indicators black lists of IP addresses associated with criminal activity. It also includes information regarding the 'who' and the 'how' of threat groups what vulnerabilities they are targeting and who they are.

Reactive threat intelligence includes targeted intel such as what adversaries are after and reports that your passwords or intellectual property has made its way online.

The final bucket of threat intelligence is reserved for information that can be used to forecast malicious activity such as online posts discussing upcoming attacks and what types of intellectual property may be targeted.

The data filling these buckets can come from a variety of sources. For example, industry groups such as the National Health Information Sharing and Analysis Center (NH-ISAC) can be good sources of information about cybersecurity issues affecting in the healthcare field. Information about attacks or groups targeting specific types of organizations also can be purchased from commercial vendors or gleaned from publicly accessible data feeds.

[Retailers team up to form new security alliance]

Some of the most critical information, however, comes from within your enterprise.

Without knowing what constitutes normal user activity, spotting anomalous behavior becomes impossible. Local sources for threat intelligence can come from data gleaned during the investigation into an incident. Useful information can be found in your organization's data monitoring tools in the aftermath of a breach that could be used to better understand how attackers targeting your company operate. Likewise, any malware caught on the network that can be analyzed to prevent future attacks as well.

Tying internal and external threat intelligence together eliminates the noise when it comes time to analyze information and determine risk levels and your strategy for dealing with them. At its best, threat intelligence allows organizations to get an understanding of their own security posture and build a profile of attackers and their activity.

That last part threat activity involves having a clear view of the various stages of an attack, known as the kill chain. An example of a kill chain would be reconnaissance followed by the delivery of an exploit, pivoting around a network and extracting information.

Disrupting any one of these phases can be the difference between a breach and a typical workday. In the event of an attack, the ability to correlate attack data about the kill chain with information from intelligence feeds can help enhance understanding of the business impacts of the breach and provide a framework for improving defenses.

As one can imagine, getting the data and operationalizing it are two different animals. Just recently for example, cyber attackers were observed targeting a series of Internet Explorer and Adobe Flash Player vulnerabilities in attacks on the aerospace industry. With that type of intelligence, companies can assess how best to handle the situation and, if they are lucky, thwart the threat before it hits their network.

Are there computers in your environment running IE? Are there exploits being delivered via malicious sites that can be filtered? Is there any mitigation that can be put in place while Microsoft works on a permanent solution? What kind of data are the hackers after? Is it critical? Where is that data on my network?

[Can threat modeling keep security a step ahead of the risks?]

Answering these types of questions moves your business along a security journey that begins in the hell of ad hoc approaches and ends at the nirvana of a business-aligned security program. It is not a simple path, and many CISOs get stuck along the way by developing security approaches based on meeting regulatory compliance demands without the benefit of threat intelligence coming into play. But, it is only with those data feeds that organizations can move on to developing a security approach based on actual risk that can then be put into a business context.

As the saying goes, information is power. The more you know about the threat landscape and what is happening on your network, the better able you will be to reduce risk by proactively limiting the attack surface for hackers.


Jason Clark is chief security and strategy officer at Accuvant.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityinformationalthreat intelligencereactiveAccuvantHBOSecurity Leadershipanalysispredictivethreat landscape

More about Adobe SystemsMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jason Clark

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place