In the world of cyber attacks, 2015 has been filled with the big (Office of Personnel Management), the bad (Ashley Madison) and the ugly (Delta’s Facebook). With this alarming increase in targeted attacks, there has never been a more pressing time for reliable cyber threat intelligence. Security and risk experts want as much information as possible about how threat actors are targeting their industry, enterprise and employees.
“Threat information” is often associated with raw threat data generally delivered in a feed via API. This type of information has quickly been commoditized and is being supplanted by more valuable and contextualized intelligence offerings defined by a new market term, “cyber threat intelligence” or CTI.
Cyber threat intelligence does two things. First, it gives security teams real-time, battlefield-level data that provides context/situational awareness and enables defensive actions against active or imminent attacks. Second, it provides a global perspective on adversary tactics, techniques and targets for longer term strategic defense planning.
Forrester, an independent technology and market researching company, recently did the first assessment of the vendor landscape for CTI. They grouped cyber threat intelligence providers into three distinct levels of service: tactical, operational and strategic.
Forrester defines tactical cyber threat intelligence as focused on the present and future. As reported by INSA (Intelligence and National Security Alliance), the “tactical level of the cyber domain is where the on-the-network actions take place. This is where malicious actors and network defenders maneuver against each other.” In its simplest form, tactical CTI uses threat indicators to proactively hunt and defend against malicious actors.
According to Forrester, operational cyber threat intelligence is focused on how malicious actors plan, target and carry out attacks. Operational cyber threat intelligence is primarily concerned with the near term, meaning it provides advisories on malicious actors and TTPs.
Strategic intelligence is comprised of high-level analysis of major trends and themes in adversary tactics and goals. This type of intelligence is critical for security executives to make informed business decisions. INSA says that, “[strategic] intelligence must be included in the calculus so that strategic-level decision-makers can understand the threats that may inhibit or prevent obtaining their strategic objectives.” Security and risk professionals can use strategic cyber threat intelligence to help them decide on cyber security investments.
Forrester’s Vendor Landscape highlights the top 20 global CTI providers, giving security leaders a clear understanding of this emerging field and who is defining it. Many experts hope that cyber threat intelligence can be integrated in a way that helps provide a more holistic approach to complete protection and defense-in-depth security practices.
ZeroFox has uniquely positioned itself as the only security vendor in the cyber threat intelligence space to focus on the largest growing area of concern for security experts: social media. ZeroFox provides visibility into phishing and malware attacks, malicious profiles, scams and other cyber threats across social networks. ZeroFox’s intelligence includes URL, IP, DNS and malware capabilities, supercharging enforcement technologies and providing insights into social media threats. Along with this protection, ZeroFox also helps to monitor organization’s publicly facing accounts for misuse or compromise.
As threat intelligence continues to increase in quality, coverage and value to the security team, organizations will increasingly adopt it as a fundamental security practice. Unfortunately, security teams are only beginning to look for intelligence in the right places. Social media has now become the #1 way to breach an organization’s network, and security teams are beginning to turn their sites on dynamic and hard-to-process social network data. This source of intelligence is so fruitful and robust it has gotten it’s own acronym: SOCMINT. The question now for any acronym-happy security practitioner: does your CTI program include SOCMINT.