Changing the game on cyber intelligence
Many enterprises rely too heavily on reactive responses to cyber threats. Rather than preparing in advance and anticipating an attack most businesses try and fight back only when it happens but what they don’t realise is if the attack has landed then they have already lost. Here are three tasks all enterprises should undertake in order to get smarter about cybersecurity.
Driven by digital innovation, business operations have undergone a fundamental transformation over the past decade. And as businesses have moved forward, the fundamentals of cybersecurity have followed behind: What are the weak points in my security strategy? Who are the main threats to my operations? Where am I at risk of compromise? As the shift to a digital marketplace has gathered speed, so has the potential for exposure and the price of failing to secure key assets. The Internet of Things (IoT) is of particular concern in this sense, as it threatens to broaden attack surfaces across the board, especially in the industrial space.
Despite an ever-evolving threat landscape, many organisations remain fundamentally reactive, responding at the point of compromise rather than leveraging real-time intelligence to profile threats as they develop. This is unsustainable. By 2020 it is expected that 25% of cyberattacks will target IoT devices, many of which will be deployed across critical industrial environments. Data breaches have also increased year on year, and the total cost of cybercrime is set to exceed $6 trillion per annum by 2021. The time has come for the old approach to change. The requisite experience, knowledge and solutions now exist for cyber threat intelligence to ‘change the game’. Here’s how:
Shift the mindset and expand the viewpoint
The first step is to switch from a reactive stance to a proactive approach. Playing catch-up is always a sub-optimal outcome, not least because it leaves barely any resources for planning, meaning that the next big problem is often a surprise. To build on an existing security posture it’s vital to stay up-to-date, profile potential threats and evolve processes and strategies pre-emptively. While cyber vendors are often questioned and tested on their ability to deliver ‘actionable intelligence’, the reality is that many organisations don’t have any processes in place to action intelligence. Evolving intelligence needs cannot be met by the important but insufficient practice of simply adding malicious IP-addresses and other indicators of compromise to a SIEM-system or a TIP. The need for a more holistic approach to threat intelligence, beyond the technical parameters, is widely accepted, yet the traditional IT security industry is struggling to meet demand because they have hardly any experience speaking to the “why?” behind an attack. Finding unstructured insights in social media, paste sites, forums and similar sources from both the surface web and deep/dark web requires companies to turn to different intelligence solutions that are complementary to their existing threat intelligence tools.
Use the data that’s there
Excluding certain, specialised sources, access to data has never been easier. From a security perspective this is both a good thing and a serious concern. An openly available report on a vulnerability today could be leveraged to create the exploit of choice tomorrow, while a single, misplaced password or private key can lead to a devastating breach and huge losses. There is, however, also great potential for spotting emergent threats and transcending the catch-up game that consumes the time of analysts and researchers. The key is to recognise that intelligence is as likely to come from soft data as it is from structured threat information. Making the most of open sources involves processing the data, understanding its relevance to a certain use-case, and then acting on those findings before others do.
Support human analysis with automation
A 2018 SANS survey on the use of cyber threat intelligence noted that, as expected, most organisations are using a wide variety of external data sources, including public feeds, information sharing groups and security vendor reporting. More and more organisations are also recognising that broad attacker trends (76%) and information on vulnerability exploitation (79%) are essential for maintaining situational awareness. However, much of the analysis and intelligence ‘fusion’ taking place is still done manually, with a shortage of skills acting as a major impediment to properly utilising cyber threat intelligence. IOC feeds aren’t enough anymore; if the problem is context, the solution is people, and automation, because collecting, processing and reporting on the amount of data in question is simply not human-scalable. Especially when it needs to be done at pace. Furthermore, not all organisations are looking for the same kind of intelligence. In our modern, interconnected world, cybersecurity concerns blend seamlessly into reputational risk and physical security. With no one-size-fits all solution, customisability is king and analysts need a tool that allows them to decide what kind of intelligence will enhance and protect their businesses.
This is what we mean by "changing the game"; altering an existing approach, based on appropriate investment in available technology and utilisation of existing resources. Intelligence platforms do the heavy lifting required to process, slice and visualise massive quantities of data in short order, allowing analysts to create contextually relevant and timely intelligence on a case-by-case basis. The truth is that cyber threats cannot be eliminated - but they can be mitigated, provided that the information is out there, and someone is looking.