intelligence value of cyber threat

Posted by lipsius at 2020-04-10

An article by fireeye

(1) Summary

It security managers are aware that network threat intelligence is an important weapon to detect and prevent high-level attacks by well funded attackers. This article will help executives clearly distinguish between threat data feeds and real cyber Threat Intelligence.

In general, cyber Threat Intelligence is more useful because it provides:

• better detection of threats.

• respond faster to targeted attacks.

• better communication with management.

• improve strategic planning and investment for the organization.

(2) Distinguish between attack indicator and intelligence

Not all companies define cyber Threat Intelligence in the same way. There are a series of threat indicators, from signature and reputation feeds to threat data feeds to Network Threat Intelligence (Table 1). Each has a different definition and offers unique business value.

Table 1 threat indication and intelligence scope

Signature and reputation feed

Threat data feed

Cyber Threat Intelligence




Threat indication

Threats keep updating data

"Attack profiling" information

Forward looking analysis of customizing threat parties and attack methods according to customer requirements


Improved the effect of blocking technology

Identify attack related patterns

Improve the ability to detect threats

Quick response to targeted attack

Clear communication with management

Planning and risk management


Alarm added

Passive data collection ·

Lag, general analysis

1. Signature and reputation feed

Signature and reputation feeds typically provide malware signatures (file hash values), URL reputation data, and intrusion indicators, sometimes provided by basic statistics (such as "today's top 10 malware threats"). These data can be obtained from non-profit and industry related organizations, as well as from the security devices on the customer's site and the sensors distributed on the network.

The main value of signature and reputation feed is to improve the effectiveness of NGFW, IPS, SWG, antimalware, anti spam and other blocking technologies. The latest security data can help these technologies identify and block malware and network traffic from websites known to be controlled or compromised by attackers. The second value is that Siem provides raw data to help detect known threats.

Although signature and reputation feeds are one aspect of traditional defense in depth strategies, they also have obvious limitations:

• it can help prevent many attacks, but not targeted attacks without signatures, as well as malware that is distorted, encrypted, included in downloaded apps or otherwise disguised (Symantec recently estimated that anti-virus products now detect only 45% of attacks).

• it provides data on individual threat indications, but it does not provide information to help organizations understand how to associate attack indications to identify real attacks and what actions to take.

• led to more warnings and alarms generated by NGFW, IPS, SWG, antimalware and Siem systems, and the SOC and event response (IR) teams were unable to evaluate and confirm important alarms in a large amount of noise.

2. Threat data feed

Nowadays, most information security companies provide a "threat laboratory" or "intelligence network", usually composed of a group of researchers, who monitor threat data from suppliers' equipment and sensors, and provide the most basic human analysis. This analysis usually includes the statistics of the prevalence, sources and targets of malware and attacks. Lab staff can also publish "attack anatomy" discussions, documenting details of attack actions taken by specific malware or advanced multi-stage attacks.

Threat data feeds are useful for SOC and IR teams because they can help teams identify attack related patterns rather than individual attack metrics. This information also provides advice on how to repair damaged systems.

But most threat lab analysis is limited:

• the tendency for data collection to be passive and often with a geographic and industry profile of the supplier's customer base. For example: "what do you see on firewalls and network sensors?

• the analysis is lagging. For example: This is the cyber attack we have observed in the past six months.

• lack of intelligence to help identify when attackers are preparing to attack? What new tactics and techniques will be used?

• they lack intelligence to help identify successful but undetected attacks. Example: the credit card number or customer information associated with the enterprise is found on the underground hacker website.

• analytics are generic, conducted across the entire customer base of suppliers or across a wide range of industry groups such as finance, healthcare and manufacturing.

Threat lab or intelligence network is a good way to distinguish one NGFW or SWG from another, especially the data collected passively is basically provided free of charge to suppliers. But real threat intelligence requires suppliers to invest in analysts and expertise, including manual and active data collection, advanced technology, forward-looking analysis and customization based on customer needs.

3. Cyber Threat Intelligence

True Network Threat Intelligence (CTI) usually includes signature and reputation feeds and threat data feeds, but not just those. CTI includes human and technical information collected worldwide.

It collects data from related industries and network sensors, and continuously monitors hacker organizations and underground sites where cyber criminals and hackers share ideas, technologies, tools and infrastructure. It needs to systematically collect data based on the location of threats and targets, not based on the location of suppliers' offices or customers. It also needs to include staff with multilingual skills and cultural backgrounds in order to understand the motives and relationships of China, Russia, Eastern Europe and other hackers.

CTI is targeted at adversaries and forward-looking, providing rich data on attackers and their tactics, techniques and procedures (TTP). It needs to have a comprehensive understanding of the characteristics and motivations of emerging attackers, business motivations to increase attack areas (attack opportunities), and the vulnerabilities of new technologies and business practices (mobile devices, virtualization, cloud and SaaS solutions). This may include, for example, identifying the motives and objectives of new cybercriminals, targeted vulnerabilities, domains, malware and social engineering methods, the structure and evolution of their activities, and the technologies that may be used to evade current security technologies.

CTI is customized for customers. It collects situational data and intelligence needs for each customer and provides analysis of the industry, technology, and the organization's specific circumstances. High quality CTI providers provide analysts with direct access so that customers can gain insight into the intelligence. They also allow clients to submit malware samples for analysis. Customized information provides companies with additional information to prioritize and make the best decisions based on their specific needs and risk profile rather than broad industry averages.

(3) The value of Threat Intelligence

The cost of network threat intelligence is often more than that of threat data feed. But it did more. It makes businesses proactive and ready for tomorrow's attackers and threats, rather than responding to yesterday's news stories. Its advantages include not only improved threat visibility, but also faster response to targeted attacks, better communication with management, and improved strategic planning and investment.

1. Better understanding of threats

Cyber Threat Intelligence uses researchers from around the world who speak their native language, understand local culture, and are familiar with slang and spoken language. It is aimed at discovering new threats and threat actors (cyber criminal groups, hacker organizations and state supported actors), using or developing new activities, TTPS, malware variants and social engineering technologies in cooperation with attackers around the world. So this type of intelligence:

• make security personnel aware of new attack indicators (IOC) and other clues to help prevent and detect more attacks.

• enable it managers, security analysts, and others to understand which applications, systems, and user groups are most likely to be attacked, and how to do so, so security personnel can focus on protecting high-risk targets from actual threats.

It is difficult to estimate the probability of a particular technology preventing data leakage. However, a recent study by the Ponemon Institute calculated an average cost of $7.2 million per cybercrime, from an average of $3 million in the smallest survey to a maximum of $13.8 million. Another study found that the cost of each record containing sensitive and confidential information lost or stolen was $145.

2. Faster response to targeted attacks

Enterprise NGFW, IPS, Siem systems, and other security tools typically generate thousands of alerts and notifications per day. Most of them are unimportant. Some may represent real threats - but only for specific industries (finance, retail, government, healthcare), specific applications (SAP, WordPress), or specific devices (POS or SCADA systems).

Most SOC and IR teams lack the time and expertise to collate all alarms. This means that it usually takes weeks or months for an attacker to detect a successful network. According to one study, almost 100% of attacks leak data within a few days of the initial invasion, compared with only 16% detected within the same schedule. CTI services improve the operational efficiency of SOC and IR teams by providing detailed information about the threats most likely to affect the company. This allows the team to focus on a small number of alerts and deal with real threats. Threat analysis provided by CTI services enables Siem tools to automatically increase the priority of meaningful alarms. It also provides attack related information, enabling team members to identify attack activity patterns.

CTI services can help organizations use information from signature and reputation feeds and threat data feeds. SOC and IR teams can focus on data and threat reporting that is most relevant to their situation.

In fact, some CTI services provide their own threat data feeds. The best CTI providers link threat data to information such as adversaries, attacks, targets, and other information that makes intelligence operational. This rich contextual information can be provided to Siem system and other security products through API. Such integration enables Siem systems to correlate events generated by network security tools with attack indicators provided by CTI services. Siem systems can also use the intelligence provided by CTI services to increase the priority of alerts associated with threats to companies' industries, geographic locations, and major software applications.

A vulnerability fix is CTI that can help organizations respond to immediate threats more quickly. Many enterprises give priority to their repair work according to the general rating label. If an organization receives rich information about vulnerabilities, such as how they work, how they are exploited, and whether or not exploit tools are currently available or under development, it can be more effective to exclude priorities. They can also find out if specific vulnerabilities are actually exploited by competitors in the organization's industry. Better prioritization means less time is wasted on "critical" vulnerabilities that actually create little risk.

Help determine the level of alarm. CTI services improve the efficiency of security and event responders and allow them to respond more quickly to the most serious attacks. Response improvement can generate huge benefits. One study found that the cost of cyber attacks averaged $20758 a day. At this rate, helping the IR team discover the threat a week ago will result in cost savings of more than $145000.

3. Better communication with management

CISO often faces serious challenges in communicating information security issues to business managers, senior management and the board of directors. This makes it extremely difficult to obtain support and funding through actual security threats. For example, the CFO is unlikely to increase the budget after hearing "last week we evaluated 1000 alerts and blocked 200 malware, but the frequency of 0-day attacks is increasing.".

The information provided by CTI can turn network threats into business risks, which can be understood by non-technical managers. CFO and department general manager's statement on "last week we foiled an attack by a hacker group in Eastern Europe in an attempt to attack our website and damage our corporate brand", or "companies in our industry are facing a wave of attacks sponsored by Asian countries, targeting engineering and trade secrets.".

4. Improve strategic planning and investment

CTI services can provide specific evidence and informed analysis of emerging adversaries and new threats. It can guide enterprises to make planning and investment decisions, so as to improve their security status and reduce unnecessary risks and expenditures.

For example, intelligence about new malware types or DDoS attacks can guide investment in the right technologies to stop these new threats. Intelligence about new adversaries and their targets can help organizations allocate resources effectively and carry out activities more effectively to protect target information assets, monitor target users or scan specific web traffic. Intelligence on new multi-level attack technologies can help event response teams focus on tools and methods for correlating different events to expose advanced persistent threats (APTS).

Intelligence can also show that some threats have nothing to do with a particular industry or company type, thus avoiding companies investing scarce resources in the wrong place.

By improving strategic planning and investment to make the security team more effective and efficient, CTI services can improve the productivity of the security team. A positive impact can be equivalent to an increase in the IT security budget.

(4) Summary

Almost every information security provider can provide some threat intelligence. While each form of threat intelligence is valuable, recognize the limitations of each product.

Signature and reputation feeds can make blocking techniques more efficient, but they do not provide enough information to identify advanced attacks. At the same time, it also leads to more alarms and false alarms generated by security devices, while the SOC and IR teams are tired of handling them.

Threat data feeds help SOC and IR teams understand the "Anatomy" of advanced attacks, but this information is usually historical and generic.

Real cyber Threat Intelligence includes active monitoring of underground forums by staff with different language and cultural skills. It provides forward-looking analysis and powerful, highly contextual information (based on threats, actors and methods that pose risks to companies in specific industries and at specific times). True CTI integrates multiple technologies and human data sources into intelligence that can guide operations at the strategic, operational, and technical risk management levels.

Cyber Threat Intelligence Services:

• discover new high-level attacks that could lead to millions of dollars of data leaks.

• help organizations respond faster to real threats and reduce the risk of serious attacks by helping security teams filter out the vast majority of alerts and focus on real attacks,.

• help it managers and communicate real security risks and business issues to non-technical business managers and senior management.

• allows managers to plan risk management strategies and security investments based on current and emerging adversaries and threat types.