By Chee Hoe Lee - Cyber Security Evangelist, Yokogawa
When it comes to monitoring mass amounts of data, information overload can significantly hinder a threat analyst's productivity.
Determining trends in the threat landscape and what's relevant to your Industrial Control System requires fine-tuned monitoring and a great deal of time. Unfortunately, time is an extremely valuable and elusive resource for security teams. Being aware of imminent threats as they emerge could help you avoid potentially catastrophic damage to your information or brand.
What is a threat?
We informally describe a threat as "a person or organization that intends to cause harm." More formally, a threat is:
"A malevolent actor, whether an organisation or an individual, with a specific political, social, or personal goal and some level of capability and intention to oppose an established government, a private organisation, or an accepted social norm"
The threat understanding is in fact called "Threat Intelligence," and it allows organizations to go beyond just collecting data about these threats, but also understand how this data affects the organization. It should be based on specific data points and past events in order for it to be conclusive.
The real challenge comes only when the data is analysed. If the business is not able to extract actionable information on combating, responding, and mitigating, the Threat Intelligence was in vain.
What is Threat Intelligence?
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
Sources of Threat Intelligence
The first step for an organization that decides to enhance its information security capabilities with Threat Intelligence is to choose the sources of the intelligence. Sources can be grouped into two high-level categories: internal and external.
Internal Threat Intelligence
Data points and information that are garnered from within the organization itself constitute internal Threat Intelligence. As enterprises experience exploit kits, malware infections and other daily issues that can seem random and unconnected, they have an opportunity to build a profile of their environment by organizing such information into meaningful content. That process also gives the information security team the opportunity to learn how to turn unrelated or simple events into "enterprise intelligence."
Oftentimes, gathering internal information is much easier than organizing and interpreting it. Many organizations strive to send mountains of data to a central aggregation point, such as a SIEM system. The central aggregation point must be tuned to accept the various types of data, and data must be indexed and available for query by the information security team. The team must also ensure that specific data points are being collected and alerted upon.
Consider, for example, a ransomware infection delivered via spearphishing that encrypts a file share, disrupting the normal course of business and potentially causing a financial loss. Despite those negatives, the organization does not consider ransomware a targeted threat, because the situation can be easily remediated. However, by applying a Threat Intelligence lens to the situation, the information security team may be able to identify the path the malware took to infect the original host and what chokepoints along that path failed to detect the malware.
The team can also identify the vulnerabilities exploited by the malware and observe the ease with which the malware could spread internally. By polling its aggregated logs, the team could identify whether the malware caused additional damage, still yet unknown. It could also use a trivial exercise to identify gaps in its data aggregation effort and put additional collectors at those data collection points. Building and maintaining a history of incidents within an organization is a critical first step toward building a successful internal Threat Intelligence team.
By cataloguing details of the incidents, such as attack paths, vulnerabilities, malware and other network indicators, an internal team can start to recognize similarities between attack groups or malware families. This internal growth can also help the organization identify weak points, critical assets and priorities for security policy implementation.
External Threat Intelligence
Quite simply, this is intelligence that an organization acquires from outside itself. External Threat Intelligence can be further broken into multiple subgroups, including the following:
- Data subscriptions, also known as feeds
- Commonality, such as by industry or geographic location
- Relationships with government and law enforcement
- Crowd-sourced platforms
Because external Threat Intelligence is often not specific to the organization, the security team must spend time evaluating the applicability of the intelligence.
What are the steps in planning a Cyber Threat Intelligence program?
The planning and preparation phase for establishing a Cyber Threat Intelligence program is crucial for its efficiency and relevance.
These are the initial steps in preparing a Cyber Threat Intelligence program:
- Establish what the purpose of the Threat Intelligence data is, and who will be in charge of planning Cyber Threat Intelligence
- After deciding upon the purpose of the Threat Intelligence, the organization will then need to select the appropriate tools for data collection and aggregation. In addition to this, it will have to decide which data source will be used (internal, external, both)
- The last step in planning a Cyber Threat Intelligence program is setting the goals, as well as the methods for progress measurement (they can be grouped into short and long term)
In the corporate environment, developing an efficient Cyber Threat Intelligence program is an important step towards ensuring a strong information security strategy.
Cyber Threat Intelligence is most likely going to make its way into more organizations, despite their tight budgets and time-consuming implementation process. There is no bullet-proof cyber-security strategy and risk management, but through continuous intelligence gathering and defence optimization, businesses can increase their protection.