Cyber threat intelligence – what is it?

Aug 14, 2020

How to get ahead of cyber crime

Whether or not you are an athlete, you’ve probably heard about the ransomware attack on sport and fitness tech giant, Garmin. Used by cyclists, runners and other sportspeople around the world, Garmin was hit by a cyberattack on 23rd July that encrypted some of its systems. It took the company more than five days to recover from the attack, and industry reports suggest that the multi-million dollar ransom was paid, allegedly through a third-party intermediary.

Garmin was attacked by ransomware called WastedLocker, associated with Russia’s Evil Corp. Historically, this type of attack was aimed at “soft targets” – hospitals, schools, municipalities – entities that could ill afford any downtime and therefore could be counted on to pay up. Ransoms tended to be in the hundreds of thousands of dollars. However, it seems the stakes have been raised. Jon DiMaggio, senior threat intelligence analyst at Symantec, said, “We’re seeing them ask for millions…With Evil Corp, there’s no doubt that…they’re hitting Fortune 500–type companies now.”

Cybercrime is here to stay and is becoming more menacing and high-risk than ever before. How can you protect your systems and your company? How can you stay on top of cyber threats and ahead of cybercrime?

Cyber threat intelligence

Every spy worth his or her salt knows the importance of intelligence. Unless we know what the enemy is up to, where they are and where they might strike next, we are powerless to protect ourselves from attack. Cyber threat intelligence isdefined as “data that is collected, processed, and analysed to understand a threat actor’s motives, targets, and attack behaviours.” It is a process that allows your organisation to gain insight into specific situational risks, so you can anticipate threats and defend yourself against them. Effective cyber threat intelligence gives you the information you need to make evidence-based security decisions and respond proactively rather than reactively to threats posed by various actors.

Organisations are increasingly recognising the value of cyber threat intelligence. The reality is that, in light of the growing sophistication of cybercriminals, no enterprise can afford to ignore it.

Types of threat intelligence

Cyber threat intelligence falls roughly into three categories, of varying degrees of complexity and contextual application. They are:

  • Tactical intelligence
  • Operational intelligence
  • Strategic intelligence

Let’s look at them in turn and consider what each can tell you.

Tactical intelligence

Tactical intelligence is immediate and technical. It looks for “indicators of compromise” (IOCs). These might be bad IP addresses, URLs, file hashes or malicious domain names. This sort of intelligence can be gathered via security products that utilise open-source, and free data feeds. It is easy to generate and usually automated. However, tactical intelligence often has a short lifespan, because bad IPs or domain names rapidly become obsolete. Intel feeds are useful and generate substantial amounts of data, but raw data like this may not help you understand the threats that are specifically relevant to you or give you any strategic insight into the value of the data.

Operational intelligence

Operational intelligence takes surveillance to the next level. Rather than just capturing information from automated feeds, it seeks to understand the human factor by studying the qualities of the people behind the threats. It tries to identify the who, the why and the how. The “who” might be an individual, as the Russian hacker behind Evil Corp, or a nation-state. The “why” is the motivation – financial gain, hacktivism, political espionage. The “how” consists of the TTPs – tactics, techniques, and procedures – used by the cybercriminal(s). When these three factors are analysed, considerable insight can be gained into how “the enemy” plans and conducts “campaigns”.

Operational intelligence cannot be gleaned from machines. It requires the capability of dedicated Information Security Intelligence, such as that offered by NEWORDER, to identify the threat actors who may target your business; and it needs human analysis to convert data into information you can use.

Strategic intelligence

Just as you have a business strategy, so do cyber criminals. Whether they exist for financial gain or political ends, you can assume they engage in highly elaborate planning and execution. Just like the Great Train Robbery, which took months to organise, a $10 million ransomware attack is not thrown together in days or sketched out on the back of an envelope. Effective strategic intelligence will analyse the higher-level factors that underpin cyber attacks and will follow the development of the techniques employed and their evolution over time. Particularly in the case of “big game hunting”, i.e. the practice of ransomware actors going after bigger and more lucrative companies (e.g. Garmin), an understanding of financially motivated strategies of adversaries like Evil Corp can be a step towards predicting and preventing their next move.

However, this level of intelligence is inevitably harder to generate than more basic tactical and operational intelligence. It requires not only human data collection but a level of analysis that demonstrates a grasp of cybersecurity and geopolitics.

How to stay one step ahead of cyber crime

It is said that it’s impossible to stay ahead of the cybercriminals because defences can only defend against known threats. To some extent, this is true. No one can predict where the next Garmin-like attack will take place when the field of potential candidates is so vast. And the villains are constantly inventing new tactics and techniques, often using the funds they have extorted from legitimate companies to do so (when the adversaries have names like “Evil Corp”, “villain” seems appropriate).

However, you CAN protect yourself, but you are unlikely to be successful on your own. Your IT team may be adept at gathering tactical intelligence and succeed in plugging gaps on a just-in-time basis. But this is firefighting rather than a strategic approach to cybersecurity. You need to collect all three types of intelligence – tactical, operational and strategic – and analyse them in an all-inclusive manner to make good business decisions. This is beyond the scope of most IT teams, whose main responsibility is systems functionality. It requires specialist skills, such as those provided by NEWORDER’s Information Security Intelligence, and should not be an add-on to an existing role, even IT security.

If you can identify and remedy breaches as soon as they appear, you are more likely to mitigate and even deflect the impact of an attack. You will also disincentivise your attackers. NEWORDER’s Information Security Intelligence will proactively identify inconsistencies that might be innocent errors but equally could be deliberate breaches of your security…breaches that might be overlooked by your automated tactical intel feed or standard monitoring.

Data tells a story

While there is no doubt you need the data provided by your IT security team, and you would be unwise to ignore technical indicators, not all threats pose the same degree of risk to your business. Our team has specialist expertise in understanding the story told by the data. We can advise you on the steps you need to take to reduce your exposure to risk and enhance your IT governance. While it is unrealistic to prevent all attacks, early detection and rapid response will significantly improve your chances of a good outcome, in terms of cost, reputation and data integrity.