Threat Intelligence - Cyber Threat Monitoring - Kimmons Investigative Services, Inc.

What is Threat Intelligence?

The more complicated today’s organizational data systems, the higher the risk of cyber security breaches, and the greater the need for threat intelligence. As regards data systems, the threat intelligence expert(s) will implement systems and procedures to gather information concerning cyber threats. The data gathered will be analyzed, and the assessment will be used to detect, predict, mitigate, and counteract cyber threats. The goal is to counteract the threat before systems are compromised.

Far more than just antivirus software or installation of firewalls, threat intelligence involves determination of the scope of threats based on the organization’s systems and facilities. Threat sources, possible targets, and methods of attack are determined so that protective action can be taken.

It is the job of threat intelligence experts to constantly monitor the universe of possible threats and cybercriminal tactics, to monitor the organization’s systems for possible attacks, and to counteract them if discovered. The initial anaysis of an organization’s data systems will result in a report of possible threats, prioritization of them based on severity and liklihood, and recommendations for protective action.

Why is Threat Intelligence Monitoring Important?

A great way to illustrate the importance of threat intelligence monitoring is this list of 12 major data breaches in 2023:

January – Mailchimp: Social engineering attack on employees. Data of 133 business clients lost, including:

customers’ names
addresses
email addresses
store URLs

February – Activision: SMS Phishing attack on HR department employee. Data stolen:

was game information
employee information
sensitive company documents

March – ChatGPT: A bug was created by vulnerability in a data library. 1.2% of company’s Plus subsribers data lost, including:

names
email addresses
payment address
last four credit card digits
credit card expiration date

April – Shields Healthcare Group: Unsure of method, possible phishing attack. Impacted 56 facilities and 2.3 million clients. Data lost:

sensitive medical data
personal patient information

May – MOVEit: Exploited zero-day vulnerability. Impacted 60 million individuals in 1,000 organizations. Sensitive data lost:

governments
financial institutions
government agencies
military
healthcare institutions

June – JumpCloud: Spear-phishing data attack. Records lost and data leaked not disclosed, but possibly 180,000+ organizations involved.

July – Indonesian Immigration Directorate: Method not disclosed, but likely a hacking incident. 34.9 million records were lost with data including citizen passports and IDs from 2009 to 2020.

August – UK Electoral Commission: Malicious software evaded system protection. 40 million records were lost including names and addresses of local and overseas voters.

September – T-Mobile: Third party breach and malicious software. 89 gigabytes of up to 100 customers data lost. Data leaked:

names
email addresses
contacts
account balances
partial social security numbers
partial credit card details

October – 23andMe: Credential stuffing method using previously hacked usernames and passwords. More than 4 million customer records lost with data including:

display names
sex
birth years
genetic ancestry details

November – Idaho National Labratory: Hacking of a cloud-based human resources service provider. Hundreds of thousands of records of citizens, users, and employees. Data lost included:

marital status
healthcare details
social security numbers
bank account and routing numbers
account types of current and former employees

December – EasyPark: Investigation underway to determine method(s). Presumed loss of records of millions of users, number not yet disclosed. Data leaked:

surname
phone number
email
address
partial debit/credit card number

It is easy to see that even the largest and most sophisticated of organizations are vulnerable to cyber attacks. The TTPs, tactics, techniques, and procedures used by cybercriminals are constantly evolving. Three benefits of threat intelligence monitoring:

The enhancement of the organizations cybersecurity profile: An in-depth analysis of the organization’s systems to determine potential threats helps to improve cybersecurity defenses.
Development of proactive cybersecurity defenses: Threat intelligence assessment and monitoring allows for a proactive approach to prevention rather than a reactive handling of threats after occurrence.
Incident response time and resolution enhancement: Knowledge of potential threats coupled with better cybersecurity defense mechanisms results in faster detection of incidents, targeted responses, and minimization of damage.

Signs of Compromised Data Systems

Changes not authorized – An intruder could be indicated by unexpected changes to system settings or software.
Reboots and shutdowns that weren’t expected – Attempts at unauthorized access can trigger unexpected reboots or shutdowns.
Unusual outbound communication activity – This could indicate device activity communicating via unauthorized commands from another server.
An unexplained increasing number of failed attempts to log into the system – Brute force attacks can be signaled when this happens.
Unusual traffic on the network – Sudden increases in data usage can signal outside theft of data.
User activity outside the norm – This is especially telling when excess activity during normally slow periods is detected.
Suspicious incoming messages or emails – This can signal phishing attempts.

While these are the most common indicators of problems, there are others and threat intelligence systems are designed for detection and mitigation.

Threat Intelligence Categories

An organization’s cybersecurity strategy is comprised of different levels of response and decision-making. This creates a need to structure different categories of threat intelligence to allow a comprehensive approach to cybersecurity management.

Strategic

This is a big picture threat intelligence category that provides intelligence into major and longer term trends. Emerging cybersecurity threats are studied and tracked. The strategic approach helps organizations to understand the big cybersecurity picture and to plan a comprehensive and longterm strategy for cybersecurity protection.

Technical

Technical threat intelligence helps organizations through technology to quickly indentify and neutralize threats. Information is provided about malicious intrusions via monitoring of URLs, IP addresses, domains, and malware hashes. Using technology threat intelligence helps to spot and mitigate threats.

Tactical

This category of threat intelligence deals with tools and processes used by cybercriminals. Information is gathered through monitoring systems and presented to management. Often new phishing techniques or malware are uncovered tactically. Keeping the organization up to date on the evolution of cyber threats allows them to adapt and update procedures and systems for new threats.

Operational

Operational threat intelligence delves deeper into procedures, tactics and techniques used by cybercriminals. This gives organizations better insight into cybercriminal methods to help organizations to set up and adapt their defensive systems.

Steps in the Threat Intelligence Process

Just knowing about cyber threats isn’t enough. There must be a process to take that knowledge and gathered intelligence and using it to generate corrective action.

1. Planning and Advisory

The organization outlines their data systems’ parameters and their needs for protecting the data from cyber threats. This information is provided to threat intelligence experts who use it to begin collection of information and data to set out a cyber threat protection plan.

2. Data Collection

Collection of data is both internal to the organization and external to determine global threat probabilities. Data sources for collection can include:

organization data servers and procedures
internal network logs
social media
open sources
third party connections
dark web

The collected data is compiled for the next step.

3. Pre-Analysis Processing

The different formats of compiled data are converted into formats usable for analysis. This can involve decrypting data and language translation. The converted data is compiled and organized in databases for analysis.

4. Analysis

Once the data is processed and organized, the analysis process starts to detect trends, patterns, or anomolies. The analysis process seeks to attempt identification of possible or probable cyber criminals, determine their goals, tactics, and threats they present or may present in the future.

5. Organization Integration and Information Dissemination

Information, data, intelligence and activities included in this step can be:

briefings
periodic information bulletins
alerts
threat intelligence reports

The recipients include stakeholders, security personnel, and decision-makers.

6. Organizational Feedback

Feedback from stakeholders and decision-makers helps treat intelligence personnel to refine and improve processes and reporting. It also helps in planning for future intelligence activities.

7. Forward Action

Threat intelligence coupled with organizational feedback sets out the actionable items to reduce cyber risks. Improvements and modifications to data systems and operational policies are undertaken to reach the desired goal of the highest level of cyber threat protection possible.

Threat Intelligence Bottom Line

As can be seen from the information presented here, threats and real-life data losses, it is clear that planning and implementation of a well-designed cyber threat protection process is critical to organization success and even survival. Businesses, large or small, all need some sort of data protection, whether minimal or extremely detailed. Consider consulting an expert at threat intelligence, such as Mitch Price, with experience managing programs for Fortune 500 companies.