Threat Intelligence in Numbers

As we exit 2016, I try to look at threat intelligence numbers and show how 2017 and beyond will turn threat intelligence to an even bigger numbers problem.

Threat intelligence datasets are growing steadily, as well as the number of potential targets and new upcoming threats.

For example, the recent attack on the San Francisco Municipal Transport Agency, had over 2,000 systems locked with ransomware.

The MUNI HDDCryptor ransomware incident indicates new "multiplier" factor in ransomware payloads capable of infecting hundreds of machines in a short time. 

Another example is the 2016 DDoS attack on Dyn, and its ripple effect. IoT is a classic big data challenge for cybersecurity.

More and more IoT attacks and targets added to the internet. IoT hack services will increase as well as IoT endpoints.

That is why data mining, machine learning, and pure statistics should play a huge role in threat intelligence. That is the only practical way to uncover hidden patterns, unknown correlations, and other useful security information.

However, statistics could be tricky at times and data set accuracy is critical for meaningful results. The challenge if how to convert threat data into threat intelligence and how to keep the human factor as part of the process.

The average attack dwell time before discovery is 98 days for financial services and 197 days for retailers. 

If we take the growth rate and assume 50 percent of breaches over 2 years and 200 dwell days. 200 days / 730 days (in 2 years) x 1/2 = 13.5 percents that your company is under attack at this moment!

There are around 2400 distinct threats at any giving time. Most follow the kill chain model which is a 7 step process used by attackers. There are at least 40 known hacking groups (not to mention script kiddies and individuals).

Thus, a threat, within a specific kill chain phase, coming from a specific hacking group is one of 2400 x 7 x 40 = 673,200.

So which of those 673,200 distinguished phases is active within your organization now?

There are more than 40 million Indicators of Compromise (IOCs) available from multiple sources with an "active" status today. Each IOC can be related to a specific phase within the kill chain (network-based or host-based).

Going back to 2400 distinct threats we get an average of 16,666 indicators per threat!

Let's assume 200 attacks will generate 50 x 200 = 10,000 indicators per year.

Which indicators are relevant for you? This is the threat intelligence analysis ultimate challenge.

More threat data is being produced than any human brain has the capacity to monitor.

It becomes nearly impossible to gauge whether an activity is normal or malicious.

A person's perspective and human factor are highly important. However, human decisions should be augmented with analytics, mathematical engines and adaptive models for threat actors, attacks, and cybersecurity trends.