How many European businesses suffered cyberattacks and data breaches last year? How much did they lose? Well, a Statista report states that companies in Europe lose hundreds of thousands dollars on average from a single attack by cybercriminals – considerable losses that in some cases can ruin a business. Is there any way to predict future attacks and minimize their impact? How do you cope with the ever-growing complexity and ensure you’re doing as much as possible to avoid becoming the next victim? This is where cyberthreat intelligence comes in. But before you arrange that meeting with your IT staff to discuss how to get started, have a quick look over the list of things you need to know to properly implement your own cyberthreat intelligence strategy.
What is it? A personal Sherlock Holmes for the cyberworld?
Cyberthreat intelligence is the process of collecting and analyzing information about indicators, threats, trends and lessons learnt from past and current cyberthreats, and transforming it all into actionable intelligence that fits your organization's goals. This provides an understanding of how and where to invest resources to protect a company's assets most effectively. The main issue here is how to obtain and analyze the huge amount of information – something that is not easy – and make it actionable and at the same time aligned with your goals. There are many non-trivial ways to detect signs of upcoming or ongoing threats; understanding that can help businesses avoid huge losses, but only if those signs are spotted in time and defined correctly.
There are four main categories of threat intelligence:
Strategic - The overall picture of past, current and future trends in the threat and malware landscape.
Operational - Specifics about the nature and purpose of different attacks and attackers.
Tactical - Techniques, tools and tactics of the attackers
Technical - Technical indicators about malware and campaigns
OK. I have a bunch of different data about cyberthreats and tactics. What’s next?
When it comes to the mitigation of different risks, you need to have proper attack scenarios as well as good knowledge of your weaknesses and the intrusion vectors of current attackers. Any mistake in the scenario can cost you more than you would imagine. The intelligence cycle consists of various well-known levels, but properly implementing them into your organization is a different story. Without a deep knowledge of recent and past attacks, the prevailing risks and trends, the usual mistakes victims make, plus a high-level technical understanding, a threat intelligence program is just going to be a waste of time and money.
Are you sure your team has enough experience and knowledge of the current malware landscape? Do they analyze threats properly to mitigate future risks? In many cases, it’s easier and more effective to ask infosec experts to provide a good dive into the best industry practices.
The most time-consuming aspect of threat intelligence is separating important data from the noise. The next step is cross-checking and analyzing the collected data, which in turn, outlines the key indicators of threats. This is where you need to customize the data with your own cybersecurity strategy. There are two typical approaches here – hunting and defending. Developing an approach when it comes to threat intelligence can be compared to military tactics. You need to know your enemy, learn their behavior and know their weaknesses. Together, this information can help to build a very strong defense strategy, reduce the attack surface and keep your assets safe. A recent survey from Threatconnect shows that proper threat intelligence strategies saved US companies more than $8 million in 2019.
“Know your enemy and know yourself. To succeed in defending your networks from persistent threats you need to be aware of your adversaries, to know where and when to find them before they even reach that point. This is a game played by two parties, where we are observing, learning and leveraging each other weakness.” - Virginia Aguilar, Google.
What are the mistakes I need to avoid when implementing my threat intel strategy?
The most common mistake companies make is thinking that threat intelligence is something you can just buy from the infosec market. Although threat intel uses data from the IT security industry, each individual case is unique because their goals are different.
You cannot buy threat intelligence because intelligence is your own interpretation of the data, depending on your objectives.
We’ve already mentioned the most time-consuming part of the threat intel cycle. When you’re evaluating the data you get from your providers, you don't want to buy it “by weight”, but by relevance. It’s better to have less data that is useful for preventing a cyberattack rather than processing lots of non-relevant information.
'Applied Threat Intelligence' - a training course by itrainsec
This elite training by industry experts shows how to get the most from the threat intelligence process in a realistic and applied way and how to properly implement it in an organization. Attendees will learn how to collect, analyze and use threat intelligence-related data, tools and frameworks. Different hands-on scenarios show participants how to effectively conduct threat hunting, incident response and how to apply the insights to protect a specific network.
Training is offered under two different modalities: Hunting and Defending.
About the trainer
Virginia Aguilar, Google
Virginia Aguilar has more than 15 years’ experience in the field of cybersecurity. She specializes in threat intelligence, digital forensics and incident response.
Virginia is currently leading the T&S Account Security team at Google, where she contributes to the protection of Google Accounts. Prior to joining Google, she led the Coordination Centre of the NATO Computer Incident Response Capability and designed its Cyber Threat Assessment Cell.