Threat Intelligence

This article is an excerpt form a talk I have given, on the recent rise of the concept of Threat Intelligence. Threat Intelligence hype, is second only to AI and machine learning, but is somewhat harder to describe or nail down a definition of.

Threat Intelligence, as I define it, assists you in defining your threat/risk exposure, and the motivation of the groups that might have an interest in attacking your business. Threat intelligence helps you understand, and respond, to developments in the hacker/underground communities. These developments can be of a political character, or in recent exposures of the vulnerabilities, for instance the recent CVSS level 10 vulnerability in Cisco ASA.

No single product can provide threat intelligence, but can in collaboration with other sources of data, like a SIEM system along with network monitoring or a IDS/IPS product, provide a foundation for extracting actionable intelligence out of the data collected by these systems. Making it actionable depends on getting information from external sources as well, do focus the actions where they will provide the most value for a company.

I am going to become a little side tracked here, by bringing up Sun Tzu. The why of it will become clear in a moment.

Some 2500 years ago Sun Tzu wrote the Art of War, in which he elaborated on the various aspects, which contribute to victory in an armed conflict. One of the most quoted passages from this book is:

Know your enemy and know yourself and you can fight a hundred battles without disaster.

This brings me back to threat intelligence. If you are to be effective in your responses to threats from hackers you absolutely MUST have complete insight into you own infrastructure. Of course you will need to know, who might have an interest in attacking you and what their goals for an attack are. Is it company data, or 'just' a blackmailing attack, like ransomware? Effective mitigation efforts are different for each of these cases.

My aim with this article, is that if you are to utilise threat intelligence in an effective manner, you will have to look, and get data, from both sides of the coin. Yourself and your infrastructure, as well as the motivation and goals of the attackers! You cannot design effective defences, without a complete picture of your own network, and the software which is running on this network, because you will have no idea where your data is stored and who has access rights to this data.

If you have no insight into what kinds of data you have, and where this data is stored, you will have significant difficulties in predicting how an attacker might go about getting access to this data. without this insight any mitigation efforts, will at best, be ineffective, and at worst no hinderance for an attacker at all.