To the surprise of no one that follows the information security market, threats and attackers are advancing at such a rapid pace that most enterprises have been unable to match it. New, sophisticated zero-day vulnerabilities are constantly being discovered and exploited to gain access to corporate systems; sophisticated attackers can then hide for months and even years while siphoning valuable data.
A big selling point for threat intelligence is the potential for an enterprise to use the information to defend against attacks before they are ever launched.
For enterprise security teams trying to proactively implement and manage security controls to thwart advanced attacks, threat intelligence can make all the difference. Adding threat intelligence to an established information security program can complement a threat assessment and provide more critical data on which security controls might be capable of stopping the latest attacks in an enterprise environment.
In this tip, we'll define threat intelligence and discuss how threat intelligence feeds can be integrated into an enterprise information security program.
Threat intelligence, past and present
The definition of threat intelligence tends to differ depending on the enterprise or service provider asked. Some define threat intelligence as being aware of attacks as they happen, while others define it as the techniques threat actors use in the attacks they investigate. Generally speaking, though, and for the purposes of this article, threat intelligence refers to the ability of enterprises to collect and analyze information from a variety of sources on the latest threat vectors, and then employ that information to help fend off attacks.
Many professionals in the information security community cut their teeth during the days of old-school hacking, when email lists like Bugtraq, e-zines like Phrack and the Internet in general were gaining popularity rapidly. Such relatively simple sources were used for the threat intelligence feeds of the time, but back then, it was still possible to be reasonably knowledgeable about and aware of the current state of many different areas of attacks and research. In contrast, today it's impossible for even the most dedicated security pros to be knowledgeable in as many areas currently and to keep up with the multitude of new threats constantly being discovered.
Recently, enterprises have tried to use IT security risk management techniques in an attempt to better prioritize security controls and adjust information security programs, but these methods haven't evolved enough to effectively manage risk. Incorporating new methods like threat intelligence to help prioritize security controls help an enterprise adapt more quickly to the latest attacks, particularly by identifying them more quickly and increasing the speed of incident response.
So where does this "intelligence" come from? An enterprise could create a threat intelligence program from scratch by investing significant resources to create its own team of researchers and analysts, but most organizations do not have the sufficient funds to take that course. Another option is to subscribe to the threat intelligence services provided by any number of security vendors. Each vendor has its own specialties, and many tend to emphasize threat intelligence that accentuates their product portfolios, so some mixing and matching of services is a given. A third and increasingly popular option is to participate in an information sharing and analysis center (ISAC), where industry-specific threat data is shared and then incorporated into local analysis and tools.
Integrating threat intelligence
From the editors: More on ISACs
Information sharing and analysis centers come in a variety of flavors (and price points), so how can an enterprise decide which, if any, ISAC offers the most benefits for it? Security management expert Joseph Granneman gives his advice on how to get involved with an ISAC, what information needs to be shared and more.
After choosing its information sources, enterprises must tackle the threat intelligence integration process. Threat intelligence feeds, information streams provided in a standardized way (typically XML), can be integrated into a variety of security appliances. For example, known malicious IPs can be entered into firewalls and blocked, known malicious domains can be blackholed by DNS servers and malicious downloaded files can be identified by network monitoring tools, or included in system management tools to identify specific files or tools. You can configure SIEM systems to accept feeds to identify compromised hosts. The additional threat data from any subsequent investigation could be used to further analyze different systems and those shared with other organizations so the information can be put to use.
A big selling point for threat intelligence is the potential for an enterprise to use the information to defend against attacks before they are ever launched. By monitoring threat intelligence feeds for attacks against specific software, systems or industries, an enterprise can determine if it is using vulnerable software or systems and then deploy mitigations before an attack takes place. For example, if an attacker is targeting Web servers with a vulnerable version of WordPress to use as a pivot point to attack internal networks, identifying the vulnerable WordPress installs and applying mitigations, or even updating to the latest version, can prevent such an attack. In large enterprises, an attack against one area of the corporate network could even be used to identify threat data that can then be used to investigate the overall network.
Gathering and managing internal threat intelligence seems reasonable, but to efficiently use data from many other enterprises to perform such activities, it might be wise to turn to a third-party service provider. A service provider can perform validation and data cleansing on incoming intelligence information, so enterprises can simply import the data into internal tools and focus on preventing or detecting attacks instead.
To defend against current, sophisticated attackers, enterprise information security programs need to be adaptable enough to include new methods that improve decision making. Adding threat intelligence to an infosec program, whether through an internal capability or from a service provider, helps enterprises prioritize security activities and focus on the areas that are most likely to stop attackers. As threats grow ever more complicated and targeted, organizations should take every available opportunity to learn more about the techniques being used against them, with the hope that such knowledge will lead to a more effective security program.
About the author:
Nick Lewis, CISSP, is the information security officer at Saint Louis University. Nick received his Master of Science in information assurance from Norwich University in 2005, and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
This was first published in October 2013