Enterprise scenarios for threat intelligence tools

Expert contributor Ed Tittel explains which types of organizations need threat intelligence tools as part of a proactive, layered security strategy to protect against threats.

Today's business environments are constantly evolving. As technology vendors introduce new and better products that promise greater efficiency and returns, IT managers stretch budget money to incorporate as many of these devices into the workplace as they can, often combining them with legacy equipment that's not quite ready to be retired.

Plus, the number of computing and networking devices in a typical organization has increased dramatically over the past four or five years, thanks mainly to the trend toward bring your own device and the ubiquity of wireless networking.

All of this has resulted in a heterogeneous, highly distributed IT infrastructure with an increasing number of attack surfaces.

The characteristics and volume of security threats are changing, too. Simply ensuring an organization's firewall, antimalware and similar protective measures are functioning well and are up to date doesn't always protect from today's malicious threats. Staying on top of the threat landscape is a challenge, to say the least, and can often be overwhelming for busy security (and other IT) professionals, but it's necessary to conduct business safely. That's where threat intelligence services enter the picture.

It's vital to know which threats exist and how they could affect an organization -- especially if those threats could result in confidential data or intellectual property being exposed -- or jeopardize its reputation or financial well-being.

Threat intelligence tools help to mitigate these dangers to the enterprise, which can often seem overwhelming, by helping organizations better understand the threat landscape. They do this through the gathering, analysis and filtering of raw data about known and emerging threats that are then collected into management reports and data feeds for automated security control systems.

Possible hacker attacks and threats

The most common types of threats are malware (viruses, worms, Trojan horses, rootkits, etc.); botnets; ransomware; and zero-day vulnerabilities, which encompass nearly any type of malware or exploit for which a countermeasure hasn't yet been developed or distributed. All of these threats have existed for years in different forms, and they continue to be a pain point for security personnel.

Not every organization is a good candidate for threat intelligence tools, partly because a comprehensive intelligence subscription can be costly.

Nowadays, privilege escalation, spear phishing and hacktivism are rising sharply, in addition to advanced persistent threats (APTs).

With privilege escalation, an attacker exploits some sort of vulnerability -- a misconfigured system or a software bug, for example -- to gain administrator access to network resources that are usually secure from outsiders.

Spear phishing involves a targeted email attack in which an employee receives an email that appears as though it's from a trusted source, but is actually from an attacker trying to extort confidential information or commit fraud.

Hacktivism is the act of breaking into a network or computer system as a way to protest some political or social situation, and typically involves website defacement, a denial-of-service attack (to prevent others from accessing a website or network) or data theft and distribution.

Often misunderstood, an APT is typically well-organized, well-funded, conducted by governmental or nongovernmental actors (which may mean an activist group or some organized crime unit, for example), and can last for months, or even years. Such attackers use advanced technologies, select specific targets and then watch those targets until the attack is successful.

Sometimes, attackers work in concert, sharing resources, hacking tools, lists of targets and their known vulnerabilities, making these groups appear even more menacing, and definitely more efficient. It's impossible for most IT security personnel to adequately defend against such well-orchestrated threats on their own. That's why it often pays to subscribe to a threat intelligence service.

Pros and cons of threat intelligence tools

Threat intelligence tools provide analyzed, actionable threat information to help organizations defend against known or emerging threats before systems can be compromised. Some of the benefits to subscribing to threat intelligence tools include the following:

  • A threat intelligence service reduces the need to manually research, gather and analyze volumes of threat information from multiple sources from across the internet.
  • A service has staff security analysts that focus solely on intelligence. These analysts perform in-depth analysis of emerging threats, APT characteristics and zero-day vulnerabilities, and have a firm grasp on regional and global events that could affect an organization's operations.
  • A service gives an organization access to resources and expertise for a set price that can become a known, budgetable operating expense.
  • Some threat intelligence tools provide guidance to help a specific organization, or specific types of organizations, batten down the hatches and reduce risk. For example, a service could assist an organization in identifying actors who may be targeting its employees, such as spear phishing attacks conducted via email. The service might also provide mitigation and remediation services if the client organization is compromised.

Essentially, a threat intelligence service can help an organization take proactive steps to dramatically reduce vulnerabilities and related risks, and to focus on the business at hand.

However, not every organization is a good candidate for threat intelligence tools, partly because a comprehensive intelligence subscription can be costly. An organization needs to look at its overall security strategy, the value of the assets it needs to protect and the capabilities of its security staff to determine if a threat intelligence service is a good fit.

Do you need threat intelligence tools?

A low-exposure organization may be very small, relatively obscure or have a limited internet presence, or may have a website that only provides information, with little or no interactivity. Consider a small company that specializes in restoring old, collectible books that are damaged.

The company's website describes its services, and has a secure contact form, but takes orders over the phone or at a single storefront. This company probably doesn't store the type of information that attackers seek most often, doesn't draw attention for political or social reasons, and does not need to pay for threat intelligence tools.

However, maintaining a low profile doesn't protect internal computers that are internet-connected from viruses, random scanning attacks and other threats, so a firewall, antimalware software and occasional full-system security scans are still necessary. Remember, cybercriminals go for the low-hanging fruit whenever possible. Small businesses are often easier to hack than larger ones, which makes them susceptible to attacks whenever vulnerabilities are exposed.

An organization that sells products or services over the internet (e-commerce), handles intellectual property (IP), is very large or well-known, has multiple levels of suppliers, has an active social media presence, and/or engages in political or social activities that are considered offensive by other governments or social groups are prime targets for attack. These organizations cannot risk their customer's data or IP, which can end up on the dark web being traded and sold after a breach. They are often in a regulated industry that requires stringent security processes to protect the privacy of information.

This type of organization could use predictive threat intelligence to determine which malicious Internet Protocol addresses, URLs and internet-available applications could harm the business, and to put appropriate countermeasures or risk mitigation strategies in place. It could also use threat intelligence to understand which vulnerabilities are most often exploited, and to identify emerging malware that targets organizations of its type.

At the upper, more expensive end of threat intelligence, a service could work with an organization's own security operations center to respond to advanced threats and analyze its perimeter network and defenses to thwart a distributed denial-of-service attack, or to assist in the forensics of a security breach.

Choosing the best threat intelligence vendor

Small, at-risk organizations may have difficulty finding cost-effective threat intelligence tools that are adequately comprehensive to achieve some return on its investment. Many moderate-exposure, and nearly all high-exposure, organizations would benefit from threat intelligence, however.

Once an organization has determined if it is a candidate for threat intelligence tools, the next order of action is to select the service that provides the best fit for its needs. 

Next Steps

Read up on how threat intelligence can give enterprise security the upper hand

Discover how threat intelligence feeds help to prioritize signals from internal systems against unknown threats

This was last published in April 2017

Dig Deeper on Security analytics and automation