Why do I Need Threat Intelligence?

What is Threat Intelligence? As you may imagine, there are a number of popular definitions.According to Gartner – Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. According to SANS – It is a set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators.

Simply put, it is knowledge that helps you to identify security threats and make informed decisions about how to defend against them. It can help you answer important questions such as – how do I keep up to date on the overwhelming number of information security threats, how can I be proactive about future security threats and, how can I inform my leaders about the dangers and consequences of specific security threats?

Threats can come from internal as well as external sources so companies are under tremendous pressure to manage threats. Though there is a plethora of raw data available, it can be extremely hard and time-consuming to get meaningful information to help us decide which proactive security control measures should be set. Good threat intelligence should provide actionable information to help streamline the decision process.

Below are several common incident indicators that can be identified with threat intelligence:

Indicators of Compromise Examples
Network
  • IP addresses
  • URLs
  • Domain names
Malware infections communicating with known bad actors

 

Email
  • Sender’s email address and email subject
  • Attachments
  • Links
Phishing attacks that “phone home” to a malicious command and control server

 

Host-Based
  • Filenames and file hashes (e.g. MD5)
  • Registry keys
  • Dynamic link libraries (DLLs)
Attacks from external hosts that might be infected or are already known for nefarious activity

 

Attacks are typically categorised as user-based, application-based and infrastructure-based threats. Some of the most common threats are phishing, SQL injection, DDoS, and Web Application attacks. You should have an IT security solution that provides threat intelligence capabilities to manage these attacks by being both proactive and responsive.

Because attackers are constantly changing their methods to outwit security systems, it becomes vitally important to get threat intelligence from a variety of sources. One of the proven methods to stay on top of attacks is to detect and respond to threats with a Security Information & Event Management system, usually referred to as SIEM.

A SIEM solution can be used to track everything that happens in your environment and apply event correlation and threat intelligence, so you can see what is actually happening. This facilitates the identification of anomalous activities. Isolated incidents might look unalarming but, when corelated with other related events and threat intelligence from other systems, can be seen to be part of a larger problem.

These days, IT security professionals operate under the ‘assumed breach mentality’. This prioritises the detection of on-going attacks. Comparing monitored traffic against known bad actors sourced from threat intelligence helps in identifying breaches and malicious activities. Doing this manually would be very time-consuming. Integrating indicator-based threat intelligence with a SEIM security solution would help in identifying compromised system and possibly even prevent some attacks.

If you want to better understand how threat intelligence and SIEM solutions can help your organisation, contact KRYPSYS via www.krypsys.com