We live in a time of unprecedented risks, pursued by cybercriminals who design sophisticated attacks engineered to evade the most common defenses. Modern security teams need access to real-time information for awareness and insights that can be quickly actioned. However, the threat intelligence space is crowded and there is more data than ever with fewer resources to make sense of that data. Having the right threat intelligence tools in place to not only understand your risk profile but prioritize and action threats is critical. Within this post, we’ll provide a brief summary of the types of threat intelligence necessary for security teams to mitigate those threats, as well as key takeaways for threat intelligence teams looking to implement solutions on these sections proactively.
Because the threat intelligence space spans a broad spectrum of focus areas, it’s important that security teams first establish their own intelligence requirements. RFIs provide analysts guidance on where to focus threat hunting efforts based on your organization’s specific areas of concern. While some areas may be of greater concern to your security team than others, investing in brand, dark web, supply chain and geopolitical intelligence is an excellent first step in establishing a strong threat intelligence program.
Tool #1: Brand Threat Intelligence
The Forrester Wave: External Threat Intelligence Services, Q1 2021 advocates Brand Threat Intelligence as the tool that everyone needs because ‘regardless of enterprise size, every organization has a brand and customers to protect.’ Many of today’s cyber incidents occur outside an organization’s traditional security perimeter. The ability to identify, analyze and disrupt external threats outside the perimeter on public platforms such as social media, surface and deep web, paste sites, mobile apps and more is necessary to reduce risks and mitigate impact to organizations. Brand intelligence entails impersonation detection of organizational or individual social accounts primarily. It also entails spoofed domains which are often the foundation for phishing attacks, fraud and scams. Quick identification and removal of these fakes allow an organization to react before too much damage can be done.
Tool #2: Dark Web Threat Intelligence
Deep and dark web threat intelligence can provide early warning to breaches and attack plans. Continuous monitoring of underground criminal forums, and other covert communication channels bad actors utilize, may reveal chatter that mentions your brand, people, infrastructure vulnerabilities or even intellectual property. Stolen credentials or credit card numbers may be marketed and sold, putting both you and your customers at risk. Awareness of this provides actionable intelligence that can allow security teams to take preemptive measures such as disabling account access, resetting passwords, and hardening defenses to avoid more severe consequences. If data leakage or theft has occurred, there may be an opportunity to re-acquire assets before their full disclosure – heading off more severe reputational damages. Visibility into these dark channels requires a presence that many organizations lack.
Tool #3: Supply Chain and Third-Party Intelligence
Supply chain partners are often an avenue for an attack as threat actors can typically find ways to penetrate them more easily. One only has to look at recent newsworthy examples such as the SolarWinds Orion malware intrusion that impacted thousands of their customers or the Colonial Pipeline ransomware attack, which shut down fuel delivery to the eastern US seaboard. Assessing the cyber risk of supply chains is a prudent step before interconnecting IT systems. While supply chain attacks will likely remain a popular tactic, and ransomware attacks are on the rise, there are steps to take to minimize your risks. Before partnering, and periodically thereafter, conduct an assessment of the supplier’s posture focused on cyber, reputational and regulatory vulnerabilities and threats. Gather intelligence on any evidence of system compromise and dark web chatter, disclosures of sensitive data and social media and brand hygiene, along with continuous vulnerability assessment of externally exposed systems as misconfigurations contribute heavily to successful breaches.
Tool #4: Geopolitical Threat Intelligence
Intelligence reports focused on global or industry-specific cyber threat trends, or geopolitical issues of strategic importance, can inform executive decision-making regarding operations, staffing, travel, sales and channel approach, and more. Understanding the threat landscape your organization faces at a national, regional, local and industry level can help mitigate risks of doing business. Security intelligence regarding physical, cyber, and geopolitical risks provides a perspective to aid investment choices, security preparedness, and fully-informs strategy execution. While not all geopolitical risks can be avoided or even anticipated, managing them can allow for compensating controls and risk-reduction alternatives. Receiving summarized and curated strategic intelligence of relevance to you can be a godsend for security professionals who are often too busy to thoroughly analyze the plethora of intelligence data they receive.
A discussion on intelligence tools wouldn’t be complete without mentioning the analysis, correlation and automation advancements of recent years, such as TIPs, SIEMs and SOARs. However, these pale in comparison to the importance of quality, timely and contextually relevant information that selecting suitable intelligence sources and providers can help you achieve. The adage “garbage in, garbage out” still applies. Further, access to more data requires more time for analysis of that data. Actionable data will be critical for timely response to actually disrupt adversaries, not just make yourself aware of them. Make sure your security team has the right intelligence tools at their disposal. Learn more about ZeroFox’s threat intelligence solutions here.