BLOG

Intersection of Threat Intelligence and Risk

6 minute read

In an increasingly hostile global environment, cyber risk management at the level of individual organizations has never been more critical. Advisories from CISA and other agencies emphasize that international disputes and the rising profitability of cybercrime have increased the incentive for private and state-aligned actors to stage cyberattacks against organizations of all kinds. It is incumbent on organizations to make informed decisions about the security controls they will implement to address established and emerging threats. Because all organizations face budgetary constraints at some level, these decisions necessarily involve prioritization. Threat intelligence can aid in this decision-making by highlighting the threats and vulnerabilities that present higher levels of risk to an organization.

Organizations Need Threat Intelligence

Relevant and actionable threat intelligence is integral to providing an organization with a comprehensive understanding of its risk profile. Access to timely information on threats capable of exploiting an organization’s known vulnerabilities can help in effectively allocating security resources. 

Organizations that forego investing in threat intelligence deny themselves the ability to address risk in a targeted manner. Such organizations are left to rely on industry best practices and media reports about breaches or zero-day exploits that may have little relevance to their own assets and activities. As a result, the defensive measures adopted by these organizations may be ill-suited to the scenarios they are likely to encounter.  

What intelligence, then, qualifies as “relevant” or “actionable?” When asked to elaborate, network security analysts may be inclined to list types of compromise indicators (IOCs). Security operations center analysts might look beyond IOCs to discuss techniques, tactics and procedures (TTPs). Physical and executive protection teams are likely to focus on direct threats made by disgruntled employees toward facilities. Executives, on the other hand, may perceive intelligence more comprehensively, taking interest in any findings that help illuminate an organization’s overall exposure. Within their respective functions, each of these groups is correct. 

Recognizing that the value of delivered findings will vary according to the functions of personnel within an organization, ZeroFox groups threat intelligence under three different categories: strategic, operational, and tactical.

  • Strategic Intelligence – Profiles and summary descriptions of actor groups, TTPs, general targets, trends. Generally high-level and positioned for non-technical audiences.
  • Operational Intelligence – Targeted, contextualized findings concerning specific threats, exploits, and vulnerabilities relevant to organizational assets. Typically describes motivations, profiles attackers and threat vectors, and delivers content in a contextualized, action-oriented manner. Generally includes some level of analysis or compilation of “finished” intelligence.
  • Tactical Intelligence – Immediately actionable, discrete intelligence. Can easily be actioned through blocklisting, account suspension, access control revocation, etc. (Examples include IOCs and compromised credentials).

Threat Intelligence Can Help in Assessing Risk 

How do organizations know when received threat intelligence points to actual risk? Risk is present when threats, assets, and vulnerabilities converge and indicate potential for financial loss.

Assets

In the context of cyber risk, an asset is anything owned by an organization that, if compromised, could result in loss. Organizations must fully account for their assets before they can protect them. This is often accomplished through an inventory of hardware, software, and data. This comprehensive awareness of an organization’s assets is prerequisite to understanding where vulnerabilities lie.

Vulnerabilities

Automated vulnerability scans are a common means of determining which of an organization’s assets are vulnerable to compromise. Though an essential component of network security, most organizations limit themselves to the results of these scans, identifying if a vulnerability exists and then prioritizing security patching based on the Common Vulnerability Scoring System (CVSS). Such an approach is insufficient if it discounts considerations such as the attractiveness of assets to cybercriminals, the potential impact of compromise to assets, and existing controls to prevent such compromise.

Threats

Threats materialize when intent, capability, and opportunity intersect. An asset that is of potential value to a malicious actor with the skill to compromise it is inherently threatened, and more so if insufficiently secured.

Risk

In assessing risk, an organization considers the ways in which assets, associated vulnerabilities, and threats might converge, then projects the loss potentially incurred by taking or failing to take a specific course of action. An organization considering use of a third-party data visualization service hosted in a cloud environment may, for example, seek intelligence on threatening activities directed toward that provider. If intelligence shows that hijacked accounts provided by the potential vendor are offered in large numbers on the dark web, this would indicate that the potential vendor is highly targeted by threat actors. The organization may then examine its internal security practices and realize that identity and access management (IAM) remains at an immature phase, failing to incorporate secure frameworks such as least privilege orZero Trust. The organization might then conclude that a threat actor who illicitly obtained access to an account provided by the prospective vendor could move laterally within the organization’s network and obtain access to other assets, including highly sensitive data. The organization would then need to determine whether it is more financially feasible to upgrade its IAM architecture or forego the third-party service.

Mitigate Cyber Risk With Actionable Threat Intelligence

Reducing cyber risk requires complete, accurate, relevant, timely threat intelligence. To be actionable, intelligence must be delivered in an assimilable form. Intelligence data feeds often contain timely information, but may not be actionable due to the volume and unstructured nature of the data. The remedial purpose of the threat intelligence is defeated if the format is overwhelming to the recipient.

Threat intelligence enables informed decisions concerning prioritized security patching, configuration hardening, access logging, and other procedures that address identified vulnerabilities. Security teams can tune other security controls, like firewalls and endpoint detection response (EDR), to prevent external actors from exploiting those vulnerabilities. Such measures reduce the likelihood of loss-inducing harm to an organization, lowering its assumed risk. Rather than treating vulnerabilities as an IT operations problem, an intelligence-driven, risk-focused vulnerability management program has significantly better outcomes.

The effectiveness of intelligence incorporated into an organization’s security practices can be measured by the number of subsequent exploit attempts. A reduction in confirmed intrusions and data breaches should follow, lowering the organization’s overall cyber risk. 

Choosing The Right Threat Intelligence and Digital Risk Protection Solution

Threat intelligence helps organizations navigate the ever-changing threat landscape and make informed, timely decisions.ZeroFox produces full-spectrum intelligence that can be tailored to your specific organization. We were thrilled to expand our threat intelligence capabilities in April 2022 with the general availability of a comprehensive set of intelligence feeds.

ZeroFox combines all facets of threat research – raw data, curated information from world-class analysts and finished intelligence – to provide insight that prevents and speeds response to emerging attacks. With global intelligence collection across external data sources, a rich history in digital risk protection, and a multi-lingual team of experienced research analysts exclusively focused on the Dark Web, ZeroFox delivers intelligence value and an unrivaled understanding of the threat landscape. This external intelligence enriches threat correlation with other sources for more accurate prioritization and automation of mitigation. A team armed with such information is empowered to measurably reduce the risk carried by an organization.

See ZeroFox in action