By collecting, analysing and contextualising information about possible cyberthreats, including the most advanced ones, threat intelligence offers a critical method to identify, assess and mitigate cyber risk.
The threat landscape is becoming ever more complex and perilous by the day. Adversaries, ranging from opportunistic cybercriminals and organised cybercrime gangs to state-aligned advanced persistent threats (APTs), are well-funded, adaptable and relentless, targeting various chinks in organisations’ cyber armors and often catching them off guard.
By collecting, analysing and contextualising information about possible cyberthreats, including the most advanced ones, threat intelligence offers a critical method to identify, assess and mitigate cyber risk. When done right, it can also help your organisation to prioritise where to focus its limited resources for maximum effect and so reduce their exposure to threats, minimise damage from potential attacks, and build resilience against future threats.
In this episode of Unlocked 403 podcast Robert Lipovsky, ESET’s Principal Threat Intelligence Researcher talks about what threat intelligence is, the work of a threat intelligence expert, the role of threat intelligence in anticipating and countering emerging cyber-risks, etc.
What are the main types of TI?
The challenge for your organization is picking through what is a crowded market of TI vendors to find the right offering. This is, after all, a market predicted to be worth in excess of $44 billion by 2033. There are broadly four types of TI:
Strategic: Delivered to senior leadership via white papers and reports, this offers contextual analysis of broad trends to inform the reader.
Tactical: Aligned with the needs of more hands-on security operations (SecOps) team members, this outlines actor tactics, techniques, and procedures (TTPs) to provide visibility into the attack surface and how malicious actors can compromise the environment.
Technical: Helps SecOps analysts monitor for new threats or investigate existing ones using indicators of compromise (IOCs).
Operational: Also uses IOCs, but this time to track adversary movements and understand the techniques being used during an attack.
While strategic and tactical TI focus on longer term goals, the latter two categories are concerned with uncovering the “what?” of attacks in the short term.
Navigating the TI market
The TI market is constantly evolving, with new categories emerging to help evaluate new threats. That can make choosing the right option(s) a challenge. It pays to think longer term about your requirements to avoid constant reassessment of strategy, although this must be balanced by the need for relevance and agility.
It’s also worth bearing in mind that the maturity of your organisation will play a big part in how many and what type of TI services to adopt. Those with dedicated teams and resource may consume as many as 15 sources of TI across commercial, OSINT, and free offerings.
Today’s threat actors are well resourced, dynamic, determined and can leverage the element of surprise. TI is one of the best ways organisations can level the playing field and gain the upper hand, including by understanding their adversary, assessing the threat landscape and making better informed decisions. That’s the way not only to stop attacks in their tracks before they can make an impact on the organisation, but also to build resilience for the future.
Each organisation will need to choose the blend of TI right for them. But when looking at vendors, ensure the data is at least complete, accurate, relevant and timely. Curated feeds will go a long way to saving time and resource for your own team. The key is to find a vendor whose feeds you trust. According to IDC, 80% of G2000 companies will increase investment in threat intelligence by 2024. Make sure you’re set up to succeed.
by Phil Muncaster and Alzbeta Kovalova, ESET