Elevating cyber-security: the crucial role of threat intelligence

Brett Candon at Cyware explores the role of threat intelligence in cyber-security

In recent years, threat intelligence has become a must-have component within the cyber-security strategies of organisations worldwide. Defined by NIST as “information that has been aggregated, transformed, analysed, interpreted, or enriched to provide the necessary context for decision-making processes,” it plays a vital role in helping security teams to proactively defend against cyber-attacks.

To help organisations understand the latest tactics, techniques and procedures (TTPs) threat actors use, threat intelligence relies heavily on indicators of compromise (IOCs) for evidence about security incidents. This data comes in a variety of forms, from cryptographic hashes and network-based indicators to unusual or suspicious behavioural patterns in system activity.

Using IOCs to power threat detection and response, security teams benefit from early detection, speedy investigation, and real-time response; while integrating IOCs into security systems proactively blocks known malicious activity, preventing attacks before they cause damage.

In addition, sharing IOCs facilitates collaborative defence across teams and communities, helping security teams gain visibility into attacks and rapidly mitigate risk.

Going beyond IOCs: the need for deeper analysis

One of the barriers to effective implementation of a threat intelligence strategy is that many security teams limit their approach to processing indicators without further detailed analysis. The expectation here is that this approach alone reduces cyber-risk when, in reality, security teams should be going further to ensure they can more effectively prioritise their investigation and response strategies.

In practical terms, therefore, effective threat intelligence goes beyond a process based on gathering and indiscriminately processing external IOCs. Instead, it hinges on effective operationalisation – all the way from ingestion to action. For example, because the intelligence being fed into the SOC often isn’t contextualised in a meaningful way, it’s not uncommon for teams to miss the insight that could be available from their existing monitoring and detection system.

This can include anything from user behaviour and system logs to network traffic and can contribute significantly towards the development of a threat intelligence process that gives much better all-around visibility of the risks faced.

Clearly, the more intelligence sources and analysis being carried out, the greater the overall levels of complexity facing busy SOC teams. In this context, automated threat intelligence platforms (TIPs) can empower security professionals to deal with the volume of internal and external indicators with greater speed, efficiency and accuracy than would otherwise be practical.

Automation in action: enhancing threat detection and response

Take the role played by IOC correlation, for example. In general terms, IOC data is highly likely to contain a significant proportion of false positives and noise, which can prevent teams from making informed decisions about which threats to prioritise and where to allocate resources.

In contrast, automated correlation helps identify the relationship between different indicators at scale while also reducing the potential impact of human error.

Supporting this process is the use of confidence scoring, whereby the relevance, quality, and frequency of threat data are properly assessed and identified. This insight can then be used by automated TIPs to initiate the appropriate preventative actions to ensure threats don’t turn into breaches. This can include anything from blocking IP addresses, quarantining specific devices or escalating the incident for further investigation.

The point here is that confidence scoring helps SOC teams stay ahead of potential risks and vulnerabilities, backed by the ability to enact effective policies without the need for human intervention at every stage.

In addition, the most effective automated TIPs can be integrated with orchestration technologies to expedite response workflows across other relevant security tools. This can build greater accuracy and efficiency in the overall process and can ensure the right resources are allocated to each area of risk.

When operationalising threat intelligence, security teams should also create processes that share relevant and timely insights with key stakeholders. Not only does this promote a culture of collaboration, but it also helps eliminate information and intelligence siloes to ensure that the organisation is always proactively positioned to respond to evolving risks.

Given the volume and complexity of today’s cyber-security risks, harnessing the potential of threat intelligence has never been more important. By embracing a multifaceted approach — which encompasses collection, analysis, automation, and collaboration — organisations can better anticipate potential threats, allocate resources more effectively, and maintain a robust and resilient cyber-security posture.

Brett Candon is vice president, international at Cyware

Main image courtesy of iStockPhoto.com