Threat Intelligence: The New Frontier
In 1941, at the height of World War II, Allied codebreakers were desperate to stop the German advance. One of the keys to victory for the Allies was a secret project known as Ultra. The goal of Ultra was to break secret encrypted transmissions by the enemy, often encoded by the German Enigma machine. Even mid-way into the war, Allied codebreakers struggled to break Enigma messages. As a result, the Allied code breaking effort often gained its early critical successes by subterfuge rather than decryption.
Allied war efforts sometimes led to the secret capture of German Enigma codebooks, which allowed for easy message decryption during periods for which the codebooks were valid. German commanders were often perplexed as to why Allied war efforts were so effective during these times. Internal investigations led to the possibility of their codebooks being compromised, or at worst, even the Enigma machine itself could have been broken. Each time, German high command determined recent losses must have been due to pure, dumb luck. Their ignorance to system compromise led to many significant losses to the Allies.
While many technology executives fear a cybersecurity compromise, much like the Germans, being unaware of that compromise is far worse and can lead to far more disastrous results. The 2016 Verizon Data Breach Investigations Report reveals a worrying trend. Not only are attackers are able to successfully breach an organization faster than ever before, data reveals that less than 25 percent of these data breaches are discovered by an organization in a timely manner.
Many financial institutions have been able to leverage STIX’s automation to significantly reduce the threat intelligence gap and widen the sources of collaboration for useful threat data
Attackers are not only more efficient than ever before, incident detection and response counter-measures are simply unable to keep up with demand. Cyber criminals have developed a highly efficient digital supply chain and dark web marketplace providing everything from malware development to post exploitation data exfiltration. This collaboration and cooperation make efficient cyber defense nearly impossible for organizations to keep up.
It is clear that organizations need to rethink their cybersecurity strategies in many key areas to develop a stronger, healthier security posture. While cyber criminals have shown themselves to be excellent collaborators, many organizations could learn from their enemy’s tactics by sharing threat intelligence data with one another. A 2015 Ponemon survey on the use and exchange of cyber threat intelligence reveals that 65 percent of surveyed companies that had experienced a recent data breach believe that threat intelligence would not only have assisted with detection of the breach, but could have stopped it altogether.
The majority of surveyed companies reported that they do not share threat intelligence with one another but simply reply on free and paid sources only. Alarmingly, only 21 percent of respondents believed their ability to utilize threat intelligence was effective. Clearly, most organizations believe threat intelligence is an essential element to their cybersecurity strategy, yet few companies are able to effectively utilize it.
One of the most significant factors attributing to the lack of effectiveness of threat intelligence sharing and collaboration is the lack of timely, relevant data. 89 percent of respondents in the Ponemon study believe threat intelligence has a shelf life of hours or less. Unfortunately, 79 percent of respondents are only able to refresh their intelligence data in increments of days or longer. This coverage gap is a leading cause of frustration for cyber threat analysts who lack actionable and timely data to prevent a cyberattack.
Fortunately, recent innovations in the area of threat intelligence are showing positive signs for organizations. First, many industry verticals have Information Sharing and Analysis Centers, (ISACs), to help with distribution and delivery of actionable threat intelligence data. These ISACs are providing a critical service for organizations that all align along a similar industry vertical such as financial services, healthcare, or manufacturing which may see very similar types of threats due to similarities within their industry. Intra-industry collaboration can provide a helpful edge in relevant communication and collaboration.
Secondly, new and open technologies are being developed which will allow for automation of both sharing and receiving threat intelligence data at near wire speed. One leading and open technology, Structured Threat Intelligence eXpression, or STIX, has made significant headway. Many financial institutions have been able to leverage STIX’s automation to significantly reduce the threat intelligence gap and widen the sources of collaboration for useful threat data. While closed, vendor-sourced threat feeds will remain an effective tool, STIX allows for open communication between trusted sources, such as ISACs and other organizations. Because STIX is an open protocol, any vendor is able to utilize this technology and open up new lines of communication in areas never before possible.
This new frontier of threat intelligence and automation is yielding promising results by tearing down old silos of security devices and technologies that are typically unable to communicate with one another and bridging new and effective threat sharing partnerships more e ffectively. I magine a s cenario where an intrusion attempt is detected by one organization and that threat data is transmitted to any other participating organizations at near wire speed.
Deeper and broader threat intelligence will drastically reduce a cyber criminal’s operating effectiveness. Even a small mistake could force an attacker to start over completely from scratch, with new malware and new attack sources, increasing their operating cost and giving a powerful edge back to cybersecurity professionals.
While cyber criminals will always have some advantage, new innovations in threat intelligence may finally help reduce the coverage gap, lessen the time to compromise detection, and unlike the Germans in World War II, prevent the dreaded scenario of being completely unaware of a complete system compromise. However, the onus is organizations to participate in threat intelligence sharing and to invest in technologies that will allow for the automation and utilization of threat intelligence data.