Threat intelligence -- making it useful from the enterprise to the small business
The term "threat intelligence" surfaced a few years ago. It is unclear where the term originated, and there is not complete agreement on exactly what it means. The Gartner Group defines it as "evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard." Regardless of the definition, the basic concepts are real and important, and not just for the enterprise.
The process of threat intelligence involves four stages:
Collection of threat information from a variety of sources
Reduction and analysis of the data
Conclusions about potential threats, based on analysis
The deliverable is knowledge of a threat enough in advance to prevent a data breach, or at least to discover it before it becomes invasive. This discovery early in the process is an important point, because, according to the Verizon 2015 Data Breach Investigations Report, only 45% of breaches are discovered within days of the event. As with the Home Depot breach, many organizations do not find out until banks or other third parties file reports. Thus, even if data has already been lost, early discovery can limit the loss, and minimize damage to the corporate image.
Drilling down into the four stages:
The information used in threat intelligence needs to come from a variety of sources, both internal and external. This is the "science" aspect of the process. Sources include:
System logs, including firewalls, servers, and intrusion detection/prevention systems, malware logs, etc.
Information shared by other organizations and industry experts
The "art" of threat intelligence involves taking a mass of data and making sense of it. After all, just about anyone can collect data, but knowing what it says is the key to making it useful. This is also arguably the most difficult aspect, since there is no "cookbook" approach to accomplishing it. One major aspect is "reduction," in other words discarding any information that is apparently not significant. Anyone who has looked through the event log on a single PC will understand how much irrelevant data is generated. Multiply this by all of the servers, network devices, and PCs in an organization, and you understand the magnitude of the problem. Much of this data can and must be discarded in order to make any sense of what is left.
As an example, assume you are a threat intelligence analyst. You learn from media and industry expert sources of a new zero-day Windows Server vulnerability. You monitor US-CERT, which soon provides a footprint for exploits of the vulnerability. You now have enough information to check your logs for indications of the footprint.
Armed with reduced and analyzed data, you now employ the "gut" aspect of threat intelligence. Drawing good conclusions from the data goes beyond science and art, and often just involves a feeling on the part of the analyst. At times, the conclusion process is more definitive. In the example above, if you know a vulnerability footprint and know that the footprint exists in some of your server logs, you can reasonably conclude that a breach is in process.
Based on conclusions, actions can be taken to mitigate the problem. These actions are largely dictated by the specific vulnerability, but usually involve some of the following:
Generating an incident in a tracking system
Application of patches or remediations to eliminate the vulnerability
Shutdown of vulnerable applications until a resolution is found
Initiation of "chain of evidence" procedures
Notification of authorities
Quantification of data loss
For the enterprise with key data to protect, threat intelligence is becoming a critical function. In the Verizon report mentioned above, the cost of a data breach for each 1,000 compromised records is forecast to be "...between $52,000 and $87,000, with 95% confidence. " It would not take a very large breach to equal the cost of a treat intelligence team. While they won't replace a dedicated team, there is an emerging list of products intended to help with the process. Some examples of these products include McAfee Global Threat Intelligence and FireEye Threat Intelligence.
If you manage a smaller organization, the value of the data you maintain may well justify a dedicated threat intelligence function, based on Verizon's numbers discussed above. Even if you don't adopt a formal process, however, you can make use of aspects of threat intelligence. Some suggestions:
Pay attention to the media, industry experts, Twitter feeds, etc. to be aware of what is happening in the information security world
Consolidate your log files to make them easier to manage. My prior article on disaster recovery includes a resource list with products that can help with this
If you hear about a new threat, find out how to detect it, and check your logs for any evidence of it being exploited. Pay attention to any new application vulnerabilities, and test your systems for them. Get expert help with this, where needed
If evidence is found, act on it quickly
Thus, threat intelligence is for everyone, whether it involves a full-blown process for those with high-value data, or action guidelines for organizations with less exposure.