The cybersecurity landscape is constantly changing, and threat intelligence serves to collect information on attacker motives, exploit capabilities, malware code, infrastructure, and resources. To protect businesses from threats, cybersecurity researchers continually seek out intelligence on the next potential attack. Hackers and threat intelligence researchers always play a cat-and-mouse game where researchers find and remediate threats and attackers find new ways to bypass defenses.
Why is Threat Intelligence Important?
Hacking is an illegal activity, but attackers can make huge monetary gains for a significant data breach. While a hacker can make money on a data breach, a successful compromise costs businesses millions per breach, which means they can be devastating for sustainability. Hackers keep their information sharing and recent exploits hidden away in small communities where they can hide from law enforcement. Threat intelligence aims to monitor hacker activity to stop the next big attack.
A cybersecurity researcher could be an in-house staff member or a group of people who perform research as a business. Collected threat intelligence is usually shared among other researchers as a collaborated effort to stop attackers. Should a researcher find a vulnerability in a popular application, it’s common for researchers to quietly inform developers so that they can remediate the issue before making it public. Some developers offer bug bounties to anyone who can find vulnerabilities and inform them instead of exploiting it.
Because data breaches are expensive, it’s led to a career path for cybersecurity enthusiasts in threat intelligence and whitehat hacking. Threat intelligence often overlaps with penetration testing and malware research, where researchers are paid to find vulnerabilities in business software. Whitehat hackers find vulnerabilities, giving the organization the ability to remediate it before it becomes a critical data breach.
Intelligence researchers who find vulnerabilities in public software will let the software developers know, and then the vulnerability is published in a repository of known issues. Vulnerabilities are publicly listed to alert IT staff so that they can patch software with known issues. Even if an organization does not have a cybersecurity researcher on staff, IT administrators should watch for threat exposures to avoid a compromise. Common Vulnerabilities and Exposures (CVE) announcements can be used to patch software before attackers can exploit the issue.
How Does Threat Intelligence Work?
Just like software development, threat intelligence has a lifecycle. Each phase in the lifecycle is the same across all threat intelligence platforms, but the way researchers carry out each phase is unique. Having a common lifecycle helps with collaboration, which is an essential aspect of cybersecurity that helps businesses.
The basic phases in threat intelligence include:
- Planning: Before researchers begin collecting data, goals, and objectives must be planned. The planning phase determines the way threat intelligence will be carried out to accomplish each goal.
- Collection: To determine if a threat has compromised a system, researchers need data from several sources, including logs, database audits, firewalls, and files. This phase can be done before a compromise to determine if the organization is experiencing an ongoing attack or after a breach during an incident response.
- Processing: The collection phase could result in millions of raw data points that must be analyzed. Processing is typically done with the help of software such as a security information and event management (SIEM). Artificial intelligence (AI) is also useful in this phase to parse out the noise from the valuable data.
- Analysis: With the help of a SIEM and any other analysis software, threat intelligence researchers will review data and determine if a breach occurred.
- Dissemination: After a threat is discovered, researchers send information across channels. The channels depend on what was found. If it’s after a cyber incident at a business, dissemination of information to IT staff that can then remediate the vulnerability and eradicate it from the network. If threat intelligence is performed for public research, the information may be published for others to remediate on their local networks.
- Feedback: After the information is distributed, the lifecycle and steps to identify the threat are reviewed to determine if all goals were met and if the plan was successfully executed.
The data collected to identify threats varies depending on the plan and the suspected vulnerability. These data points are called indicators of a compromise (IOC). A few data points include:
- Domains and IP addresses: Suspicious traffic from one IP address could indicate that there is an attacker. Some malware will connect to an attacker-controlled server to transfer corporate data. Continuous authentication attempts from the same IP could also indicate an attack takeover.
- Email messages: In a suspected phishing attack, email messages are necessary to trace the source of the attack, including messages with attachments.
- Affected device files: Any devices under attack or infected with malware could host important files that could be used in further analysis. Registry keys, DLL files, executables, and any other data from the device can help with the investigation.
External resources can also be used to collect data. Threat intelligence researchers often use collected data from darknet markets to investigate or join communities of hackers to keep up to date with the latest activity. Some risk management and intrusion detection systems will use large databases of IP addresses and malicious domains to determine if an attack is targeting the organization.
What Tools and Platforms Can Be Used in Threat Intelligence?
The most common threat intelligence platform uses artificial intelligence to help analysts determine potential vulnerabilities. A good SIEM uses AI and will seamlessly integrate with other cybersecurity systems to collect and save data. Tools can run locally or in the cloud, but many organizations choose to work with cloud-based software to skip the difficult installation and infrastructure configurations.
When searching for a threat intelligence platform, look for four main attributes:
- The ability to collect data and aggregate it from several different sources.
- Use of AI to provide a numerical scoring or easily understood risk level so that researchers can easily understand reporting and automated analysis.
- Integration into other cybersecurity systems so that it can work with other data points and analysis tools.
- Help with the dissemination of information but keep sensitive data secure from attackers.
Threat intelligence platforms help both professionals in the cybersecurity industry and IT professionals with research. The right tool must limit false positives to avoid spending resources chasing an inaccurate result. An organization does not need to actively participate in threat intelligence, but IT staff should regularly review the latest vulnerabilities and exploits reported on common software. With simple research, an organization can patch software and stop threats before they turn into a critical data breach.