The Brief Fundamentals of Threat Intelligence
Do we need to keep emphasizing on how dangerous cyber attacks are for enterprises? Or do we need to keep reminding stakeholders that some vicious people called cyber criminals on the other side of the world are working hard to send well-targeted attacks against any enterprise with vulnerable infrastructure? Do those stakeholders know that hackers have all the capabilities to avoid most of the security borders and solutions and thus take down a network and data? Well! One should only check cybersecurity news to see how ever-increasing and expensive those catastrophes are.
Numbers always tell the truth. IBM’s study reports unveiled that the global average cost of a data breach was up 6.4 percent over the previous years ( 2017–2018), to reach $3.86 million. As an average, the cost for each lost or stolen sensitive record has increased by 4.8 percent to reach $148. In other reports, in January 2019 only, more than 1,7 billion user records were leaked in a single month. Now take the numbers from the previous fact and do the math. It’s huge, right? Well! The reasons why these numbers are tremendous are endless. Today, we are not here to bring those scary facts and keep stressing about them, but to summon one of the solutions that must be implemented to decrease them and the risks of being breached as well.
In this article, we are going to talk about Threat Intelligence ( T.I ) as a solution that enterprises must rely on to avoid being penetrated. We will explain what it is, why should enterprises focus on it, and what is the lifecycle of it.
What is Threat intelligence?
Often called Cyber Threat Intelligence ( CTI ), Threat Intelligence is a collection of analyzed, organized and clarified information about an existent or a potential cyber threats that threatens the safety and the continuity of an organization. Keep in mind that the word “intelligence” has the same meaning as information in this context. However, this collection of information is usually raw data that was taken from two or more sources such as:
- Internal sources: Every security mechanism that produces data for security purposes including SEIMs, firewalls and logging systems. Be aware that the data provided by these security solutions are not considered intelligence until it’s well analyzed and refined.
- External sources: They are outside sources such as Open source intelligence, social media intelligence; deep and dark web intelligence. So basically, it’s all the external sources that help get information about a specific threat.
Yet, There’s a big misunderstanding that threat intelligence is a domain of elite security experts and only big organization need to implement it. Indeed, CTI plays a crucial role in the IT security of not only big and midsize organizations but even for the small ones too. So…
Why should enterprises of all sizes adopte Threat Intelligence?
Enterprises are taken down every day because cybercriminals are destroying everything they put their eyes on. They use their strong determination and skills to make your security mechanism collapse. Because of this, cyber attacks are on the rise, and regardless of the size, all companies are targeted.
Threat intelligence comes to help as one of the solutions that have various benefits that level up the enterprise’ security maturity. One of those benefits is that threat intelligence obviously reduce the risk of getting digitally penetrated, by providing the security teams a clear and detailed overview of the current existing threats. That is to say, it’s more convenient for enterprises to adopt a T.I operation in order to identify security weaknesses and work on eliminating them. In order to do so, enterprises use the raw and unstructured data provided by different security products and make it more human readable.
Also, a threat intelligence operation will lower the response time in case of a cyber breach and thus preventing huge losses. Furthermore, A successful threat intelligence operation will give IT security teams and executive the ability to understand the cyber risks and build confidence in the security operation by exposing new tactics and techniques used by hackers.
What is Threat Intelligence LifeCycle?
The final result of a threat intelligence operation comes as a result of a circular process and it’s called a LifeCycle. It’s a Life cycle of the raw data collected from different sources mentioned above. And it’s called so because new questions and requirements are generated throughout the process. However, this Lifecycle has six steps to produce the wanted intelligence, and this figure below explains how it works:
Direction ( or planning ): The first step is to plan the whole process. This starts by asking the correct questions and defining the right goals. Determining the most valuable assets in the enterprise, defining the type of threats that are most dangerous to the enterprise, and choosing the appropriate tools to use during the process. Yet, the most significant question is, who is going to consume the final result? Remember that these goals and questions are the foundation, and they decide the success of the threat intelligence operation.
Collection: We mean here the collection of raw data from a wide range of external and internal sources. The goal is to give IT security team something to work with. However, the collection process should be based on the requirements defined previously.
Processing: After collecting all the necessary data from the previous step, now we need to categorize it, organize it and filter it from redundant and false positives/negatives information. This step should always be automated using machine learning tools to help security teams save time and be more efficient.
Analysis: It’s time to use this data and make intelligence of it. This is done by analyzing it to look for security issues and answers to the question defined in the first step. The goal is to make a cyber intelligence that is easy to read and understand various types of audience.
Dissemination: it’s time to distribute the final result to the consumers defined in the right stage. Executives may need this intelligence to make future business decisions. Nevertheless, in order to get the most of this threat intelligence, it should get to the right hands at the right time. One thing to remember is that the final result can be in many formats regards to who is going to utilize it. For this reason, there are three types of T.I final result and they are
Strategic: A strategic cyber threat intelligence is meant for a non-technical audience such as executives
Tactical: This one is for technical consumers and it should focus on the techniques and tactics performed by attackers.
operational: This is to arrange technical details about specific attacks.
Feedback: after all the steps completed successfully, it’s time for consumers to review it and give it feedback of whether it did answer and define what it was started for. This step can also be the beginning of a new cyber intelligence process. Just like a Phoenix.
This article was originally published on thecyberwriter.com. Need a cyber security or technology content writer for your business? Check my website and let’s get to work together.
