What is Threat Intelligence?
The more complicated today’s organizational data systems, the higher the risk of cyber security breaches, and the greater the need for threat intelligence. As regards data systems, the threat intelligence expert(s) will implement systems and procedures to gather information concerning cyber threats. The data gathered will be analyzed, and the assessment will be used to detect, predict, mitigate, and counteract cyber threats. The goal is to counteract the threat before systems are compromised.
Far more than just antivirus software or installation of firewalls, threat intelligence involves determination of the scope of threats based on the organization’s systems and facilities. Threat sources, possible targets, and methods of attack are determined so that protective action can be taken.
It is the job of threat intelligence experts to constantly monitor the universe of possible threats and cybercriminal tactics, to monitor the organization’s systems for possible attacks, and to counteract them if discovered. The initial anaysis of an organization’s data systems will result in a report of possible threats, prioritization of them based on severity and liklihood, and recommendations for protective action.
Why is Threat Intelligence Monitoring Important?
A great way to illustrate the importance of threat intelligence monitoring is this list of 12 major data breaches in 2023:
January – Mailchimp: Social engineering attack on employees. Data of 133 business clients lost, including:
- customers’ names
- addresses
- email addresses
- store URLs
February – Activision: SMS Phishing attack on HR department employee. Data stolen:
- was game information
- employee information
- sensitive company documents
March – ChatGPT: A bug was created by vulnerability in a data library. 1.2% of company’s Plus subsribers data lost, including:
- names
- email addresses
- payment address
- last four credit card digits
- credit card expiration date
April – Shields Healthcare Group: Unsure of method, possible phishing attack. Impacted 56 facilities and 2.3 million clients. Data lost:
- sensitive medical data
- personal patient information
May – MOVEit: Exploited zero-day vulnerability. Impacted 60 million individuals in 1,000 organizations. Sensitive data lost:
- governments
- financial institutions
- government agencies
- military
- healthcare institutions
June – JumpCloud: Spear-phishing data attack. Records lost and data leaked not disclosed, but possibly 180,000+ organizations involved.
July – Indonesian Immigration Directorate: Method not disclosed, but likely a hacking incident. 34.9 million records were lost with data including citizen passports and IDs from 2009 to 2020.
August – UK Electoral Commission: Malicious software evaded system protection. 40 million records were lost including names and addresses of local and overseas voters.
September – T-Mobile: Third party breach and malicious software. 89 gigabytes of up to 100 customers data lost. Data leaked:
- names
- email addresses
- contacts
- account balances
- partial social security numbers
- partial credit card details
October – 23andMe: Credential stuffing method using previously hacked usernames and passwords. More than 4 million customer records lost with data including:
- display names
- sex
- birth years
- genetic ancestry details
November – Idaho National Labratory: Hacking of a cloud-based human resources service provider. Hundreds of thousands of records of citizens, users, and employees. Data lost included:
- marital status
- healthcare details
- social security numbers
- bank account and routing numbers
- account types of current and former employees
December – EasyPark: Investigation underway to determine method(s). Presumed loss of records of millions of users, number not yet disclosed. Data leaked:
- surname
- phone number
- address
- partial debit/credit card number
It is easy to see that even the largest and most sophisticated of organizations are vulnerable to cyber attacks. The TTPs, tactics, techniques, and procedures used by cybercriminals are constantly evolving. Three benefits of threat intelligence monitoring:
- The enhancement of the organizations cybersecurity profile: An in-depth analysis of the organization’s systems to determine potential threats helps to improve cybersecurity defenses.
- Development of proactive cybersecurity defenses: Threat intelligence assessment and monitoring allows for a proactive approach to prevention rather than a reactive handling of threats after occurrence.
- Incident response time and resolution enhancement: Knowledge of potential threats coupled with better cybersecurity defense mechanisms results in faster detection of incidents, targeted responses, and minimization of damage.
Signs of Compromised Data Systems
- Changes not authorized – An intruder could be indicated by unexpected changes to system settings or software.
- Reboots and shutdowns that weren’t expected – Attempts at unauthorized access can trigger unexpected reboots or shutdowns.
- Unusual outbound communication activity – This could indicate device activity communicating via unauthorized commands from another server.
- An unexplained increasing number of failed attempts to log into the system – Brute force attacks can be signaled when this happens.
- Unusual traffic on the network – Sudden increases in data usage can signal outside theft of data.
- User activity outside the norm – This is especially telling when excess activity during normally slow periods is detected.
- Suspicious incoming messages or emails – This can signal phishing attempts.
While these are the most common indicators of problems, there are others and threat intelligence systems are designed for detection and mitigation.
Threat Intelligence Categories
An organization’s cybersecurity strategy is comprised of different levels of response and decision-making. This creates a need to structure different categories of threat intelligence to allow a comprehensive approach to cybersecurity management.
Strategic
This is a big picture threat intelligence category that provides intelligence into major and longer term trends. Emerging cybersecurity threats are studied and tracked. The strategic approach helps organizations to understand the big cybersecurity picture and to plan a comprehensive and longterm strategy for cybersecurity protection.
Technical
Technical threat intelligence helps organizations through technology to quickly indentify and neutralize threats. Information is provided about malicious intrusions via monitoring of URLs, IP addresses, domains, and malware hashes. Using technology threat intelligence helps to spot and mitigate threats.
Tactical
This category of threat intelligence deals with tools and processes used by cybercriminals. Information is gathered through monitoring systems and presented to management. Often new phishing techniques or malware are uncovered tactically. Keeping the organization up to date on the evolution of cyber threats allows them to adapt and update procedures and systems for new threats.
Operational
Operational threat intelligence delves deeper into procedures, tactics and techniques used by cybercriminals. This gives organizations better insight into cybercriminal methods to help organizations to set up and adapt their defensive systems.
Steps in the Threat Intelligence Process
Just knowing about cyber threats isn’t enough. There must be a process to take that knowledge and gathered intelligence and using it to generate corrective action.
1. Planning and Advisory
The organization outlines their data systems’ parameters and their needs for protecting the data from cyber threats. This information is provided to threat intelligence experts who use it to begin collection of information and data to set out a cyber threat protection plan.
2. Data Collection
Collection of data is both internal to the organization and external to determine global threat probabilities. Data sources for collection can include:
- organization data servers and procedures
- internal network logs
- social media
- open sources
- third party connections
- dark web
The collected data is compiled for the next step.
3. Pre-Analysis Processing
The different formats of compiled data are converted into formats usable for analysis. This can involve decrypting data and language translation. The converted data is compiled and organized in databases for analysis.
4. Analysis
Once the data is processed and organized, the analysis process starts to detect trends, patterns, or anomolies. The analysis process seeks to attempt identification of possible or probable cyber criminals, determine their goals, tactics, and threats they present or may present in the future.
5. Organization Integration and Information Dissemination
Information, data, intelligence and activities included in this step can be:
- briefings
- periodic information bulletins
- alerts
- threat intelligence reports
The recipients include stakeholders, security personnel, and decision-makers.
6. Organizational Feedback
Feedback from stakeholders and decision-makers helps treat intelligence personnel to refine and improve processes and reporting. It also helps in planning for future intelligence activities.
7. Forward Action
Threat intelligence coupled with organizational feedback sets out the actionable items to reduce cyber risks. Improvements and modifications to data systems and operational policies are undertaken to reach the desired goal of the highest level of cyber threat protection possible.
Threat Intelligence Bottom Line
As can be seen from the information presented here, threats and real-life data losses, it is clear that planning and implementation of a well-designed cyber threat protection process is critical to organization success and even survival. Businesses, large or small, all need some sort of data protection, whether minimal or extremely detailed. Consider consulting an expert at threat intelligence, such as Mitch Price, with experience managing programs for Fortune 500 companies.