Better the devil you know
In this article Glenn Fitton, ITC Senior Cyber Consultant, zooms in on ‘Threat Intelligence’, focusing on what it is, and what it isn’t.
In the modern age of cyber and with the growing prevalence of large-scale cyber attacks, most of us have come to terms with the fact that it’s not about if you are attacked, but about when. At some point, somebody will attempt to hack your organisation. As the idiom goes “Better the devil you know than the devil you don’t know”.
This is where “threat intelligence” can help.
Typically, well intentioned IT teams approach security by scanning their known assets and gathering data about current vulnerabilities, and the sheer number of “Critical” or “High risk” findings often shocks them. Such that the following 6-8 months are then spent redirecting resource to clear each finding.
This approach is akin with attempting to boil an ocean.
The problem with trying to resolve every single vulnerability is, you never will. Since 2010 the Common Vulnerabilities and Exploits (CVE) Database1 [see chart] has seen a steady and significant increase in newly discovered vulnerabilities across common software platforms and operating systems. In 2018 alone 1,655 new CVEs were added to the database, making the typical IT approach of attempting to resolve known weaknesses across their entire estate almost impossible.
Some would argue the efforts required to review, install, test and deploy, on average, over 1,300 new patches each month is unmanageable without considerable additional resources.
There are, however, ways to sustainably manage and reduce your exposure to common vulnerabilities.
Threat Intelligence offers an additional lens to narrow the focus of vulnerabilities. Rather than resolving every known risk, IT resources can be more effectively positioned by focusing on the issues pertinent to your organisation.
One approach is to focus on utility. For example, organisations providing services that require high availability (such as datacentre providers) would focus on clearing vulnerabilities that pose a threat to the availability of their services (such as a DDOS attack). In contrast, an organisation operating in the health care sector may use threat intelligence to de-prioritise issues that do not pose a direct threat to the confidentially and integrity of their patient data.
Another approach is to focus on ubiquity. Using threat intelligence to focus on vulnerabilities that are actively being exploited as opposed to the more theoretical risks that have not claimed any victims yet. By understanding the attack vectors and methods that are popular for attackers targeting your industry, technology surface or geographical location, IT teams have the best opportunity to ensure the correct defences are in place before an attack takes place.
More advanced threat intelligence services can even operate behind the enemy lines. They can scour the farthest corners of the dark web to discover leaked accounts and credentials concerning your organisation that have been made available to would-be hackers to formulate an attack.
The market is swamped by security products, such as Intrusion Detection systems, Intrusion Prevention systems, Vulnerability Management solutions and Managed Honeypots that all suggest they have threat intelligence feeds, but these give minimum coverage of the previously mentioned advanced features.
As the world of cyber security matures, threat intelligence must be a key component of any information security strategy. Without exceptional, coordinated threat intelligence, cyber threats simply can’t be reliably identified or stopped until it’s too late. It’s therefore essential that you utilise dedicated threat intelligence services and technologies, so that senior management, IT teams and anybody with a stake in your organisation’s success, can be assured they have an effective, sustainable and proactive information security program.
 The Common Vulnerabilities and Exploits Database (https://cve.mitre.org/)