Cyber security is an ongoing battle between sophisticated and well-funded bad actors and those who must defend corporate networks against their attacks. The bad news is that the latter are typically not winning. A recent Osterman Research survey found that while most organizations self-report that they are doing “well” or “very well” against ransomware, other types of malware infections, and thwarting account takeovers because of the significant emphasis placed on these threats, they are not doing well against just about every other type of threat. These include protecting data sought by attackers, preventing users from reaching malicious sites after they respond to a phishing message, eliminating business email compromise (BEC) attacks, eliminating phishing attempts before they reach end users, and preventing infections on mobile devices.
This missing component for most organizations is the addition of robust and actionable threat intelligence to their existing security defenses, which can be segmented into four subcategories:
- Strategic (non-technical information about an organization’s threat landscape)
- Tactical (details of threat actors’ tactics, techniques and procedures)
- Operational (actionable information about specific, incoming attacks)
- Technical (technical threat indicators, e.g., malware hashes)
The use of good threat intelligence can enable security analysts, threat researchers and others to gain the upper hand in dealing with cyber criminals by giving them the information they need to better understand current and past attacks, and it can give them the tools they need to predict and thwart future attacks. Moreover, good threat intelligence can bolster existing security defenses like SIEMs and firewalls and make them more effective against attacks. Threat intelligence plays a key role in proactive defense to ensure that all security programs are relevant to the fast-evolving threat landscape. This is particularly valuable in security awareness training to ensure users are familiar with known threats.
Existing security defenses provide some measure of protection against increasingly sophisticated threats, but the enormous number of data breaches and related problems experienced by many organizations reveals that current security practices are not adequate. Good threat intelligence capabilities can provide a great deal of information about the domains and IP addresses that are attempting to gain access to a network. It can enable threat researchers to better understand the source of current and past attacks and better deal with future attacks.
We have just published a white paper on threat intelligence that you can download here.