Threat intelligence has long been a tool in the armory of data defenders, used by detecting risks and gaining insight into threats that exist across a network – providing the intel required to address issues and achieve the goal of improving security and resiliency.
However, with the proliferation of digital transformation bringing about a surge in the use of complex cloud environments, BYOD, maturing attack vectors and, more recently, the huge shift to mass remote working, the modern attack surface is now so vast that many question whether traditional threat detection methods are suitable for the current landscape.
Therefore, it is becoming ever more common for organizations to invest in newer, more effective and holistic cyber-threat detection and intelligence utilizing methods that are more attune with the modern threat landscape.
Intelligence firm NetEnrich is a company that seeks to aid companies in that regard and recently announced the launch of a new threat and attack surface intelligence offering. The two new products, Knowledge Now (KNOW), a free global threat intelligence tool, and Attack Surface Intelligence (ASI), combine to deliver context for proactive responses to known and emerging cyber-threats.
With NetEnrich being a firm specializing in the threat intelligence space, Infosecurity recently spoke to its CISO and head of security strategy Brandon Hoffman to learn more about the importance and mechanics of implementing threat intelligence strategies designed for the modern risk landscape.
What is the importance of effective, modern threat intelligence, particularly in the current threat landscape?
Effective threat intelligence has always been exceedingly important, although discounted in the past, and ever more so in the current landscape. Being in the modern time, we like to think that the threat intelligence we have now is effective although we may find in the future, looking back, it was rudimentary. Modern threat intelligence provides unique insights into adversary activity and tactics beyond traditional threat intelligence.
Having an understanding of the attacker’s motivation and intent is at least as important as understanding their technique or tools. Simply understanding the tools or technical details does not help assess risk in a complete way, nor does it help prioritize the application of controls. An interesting extension of thought around modern threat intelligence is whether or not this intelligence is a function of the researchers developing methods, skills and technology, or if it is a function of the attackers goals and organizational structures changing over the years.
“Modern threat intelligence provides unique insights into adversary activity and tactics beyond traditional threat intelligence”
Why are traditional threat intelligence and internal telemetry often superficial and fail to show the riskiest parts of modern infrastructure?
Traditional threat intelligence, should we call it that, was focused almost completely on technical elements – telemetry and indicators being the big two. Unfortunately, this is a very reactive approach and indeed does leave much to be desired. From a risk perspective, it provides almost no consideration of the attacker’s perspective. Looking at what is happening inside the organization is important, of course. However, the issue is already well along the way. Repositioning your view from the attacker’s perspective provides a lens to assess risk in a more complete way by pairing the external view with the internal view.
Furthermore, indicators and network flows do not show intent. This lends itself to being superficial in the sense that you are not understanding the problem in its fullest depth. Just like a parent with a misbehaving child: seeing and correcting the bad behavior is important, but understanding why the bad behavior is happening is more important for future resolution.
How can automation strengthen modern threat intelligence approaches?
Machines and automation, applied correctly, can always provide some measure of coverage in a skills gap situation. In security, we are consistently plagued with a skills shortage. This manifests itself in two main areas. The first being there simply are not enough skilled people to perform the tasks. The second is that the lower skilled people are so inundated with mundane tasks they don’t have an opportunity to ‘skill up’ and so, they burn out. We can see that automated threat intelligence, and automation in general, can help solve this problem by offloading the tasks that are easy for machines but hard for humans. Some examples of this include de-duplication across overlapping threat feeds (overlap analysis), correlation of findings to meaningful focused sets of intelligence and automated prioritization of issues based on succinct data elements in the threat intel. This actually drives resolution to both talent shortage areas. It frees up time from lower skilled workers to level up, thereby creating a more skilled workforce at large.