How Can You Identify an Attack and Predict the Next Move? It Takes Relevant Threat Intelligence

What is threat intelligence? Simply put, it’s evidence-based knowledge about a cyber menace that can help inform your team’s response. The best threat intelligence includes context, mechanisms, indicators, implications, and actionable advice. Yet despite it being an easy-to-grasp concept, threat intelligence is one of the most widely misunderstood aspects of cybersecurity today.

Many people don’t understand the distinction between different aspects and types of threat intelligence. This means they’re missing out on how valuable it can be in preventing attackers from wreaking extensive damage.

The result is a dangerous delay in attack detection and potential response. A recent survey from the Anomali Threat Research team and Harris Poll of 800 cybersecurity decision makers shows that, on average, enterprises take several days to detect known cyberattacks. For example, it takes 2.9 days to detect attacks from nation states and 3.6 days to detect attacks from cybercriminal organizations.

To understand this delay and how relevant threat intelligence can help, let’s start with an analogy.

Alarms can tell you something happened.

Organizations can treat cybersecurity like a homeowner treats home security, installing an alarm to protect the house from break-ins. Assuming the sensor is activated, the alarm goes off once someone breaks in. Hopefully, the police arrive in time to arrest the thief. However, the homeowner is left to repair the damages—and, of course, there’s the risk that the police don’t arrive in time or that the thief knows a way around the sensor.

The point is that the alarm doesn’t enable the homeowner to prevent a specific break-in. Instead it helps to mitigate the damage once a break-in occurs.

In the cybersecurity world, this is similar to security controls that issue an alarm if they recognize that a cyberattack is happening. If the organization is lucky, it can then quickly respond to block the attacker and limit further damage—but who wants to depend on luck when it comes to cybersecurity?

Threat intelligence tells you something is about to happen.

Now think about what takes place before a home break-in. Would-be burglars often conduct reconnaissance, driving through the neighborhood to see which homes have alarms. They might ring the doorbell to make sure no one is home. A smart doorbell could capture this video. Correlating this video with other security feeds from the street could show that the same person has been conducting reconnaissance and is likely to attempt a break-in.

With knowledge of an impending break-in, the homeowner or a group of homeowners could take steps to prevent it. They could invest in private security patrols, start a neighborhood watch program, or provide police with information that points to the perpetrators.

That’s the value of relevant threat intelligence. You can identify bad actors and behaviors ahead of a damaging attack, predict what will happen, and take preventive action. Here are some questions that relevant threat intelligence can answer:

• Who are my adversaries and how might they attack me?
• How do attack vectors affect the security of my company?
• What should my security operations teams be watching for?
• How can I reduce the risk of a cyber attack against my company?

With relevant threat intelligence, security teams get the context needed to prevent attacks and address threats rapidly and effectively.

What if the problem is too much threat intelligence?   

Unlike the homeowner in our analogy, an enterprise faces huge amounts of information about potential threats. There are billions of malicious IP addresses at any point in time and tens of billions of events happening on the network. It’s a continuously evolving, enormous data set.  

That’s not all an enterprise needs to think about, either. What about the servers on your network? Which ones have been touched by threats, are misconfigured, or are vulnerable to a new threat? Can your team continuously compare a billion data points to answer these questions? Not likely.

Big data analytics can hone your focus on relevant threat intelligence.

To make threat intelligence relevant and actionable, you need a big data solution. This automates the process of collecting and analyzing internal and external threat information and intelligence, including indicators of compromise (IOCs), observed behaviors, adversary knowledge, and threat models.

By automatically analyzing and transforming threat intelligence, the right solution helps security teams quickly understand threats, determine impact, and respond quickly—like the savvy homeowner who recognizes reconnaissance and takes steps to prevent a break-in.

Now that you better understand threat intelligence, how can you use it to improve your security operations? Watch the webinar “Climbing the Threat Intelligence Maturity Curve” to get helpful, real-world insights.

Anomali

President Before becoming President at Anomali, Hugh served as CTO and EVP of Research and Development at ArcSight, which he co-founded in 2000. He led product development, information technology deployment, and product research at ArcSight, and expanded these responsibilities to lead all engineering and R&D efforts for HP’s Enterprise Security Products group. Prior to ArcSight, Hugh worked as the CTO at Verity leading product development, and he was a software engineer at Apple where he was one of the key architects behind the Data Access Language (DAL). Hugh was also honored with the Northern California Ernst & Young LLP Entrepreneur of The Year award in 2010.