Using Threat Intelligence to Mitigate Risk
This panel at the NetDiligence® Cyber Risk Summit offered insights into how organizations can be thoughtful in their use of security resources to mitigate risk.
Speakers included:
- Vinny Sakore, Chief Technology Officer, NetDiligence®
- Andy Sambandam, Founder & CEO, Clarip Inc.
- Christian Lees, Chief Information Security Officer, Chief Technology Officer, InfoArmor
- Daimon Geopfert, Principal, Risk Advisory Services, RSM
- Steve Timmerman, Vice President Business Development, RedSeal
Threat Intelligence is the process of acquiring knowledge about threats to an environment via multiple sources. It is not solely a list of indicators that an attacker used to gain access. It contains additional context into how the attack worked using both internal and external evidence-based knowledge.
A simplified concrete example is after a hack, using the basic IP address to search the threat intelligence community (very similar to the cloud for threat intelligence) and uncover malware associated with the IP. From there, a simple search shows the hacking groups that are using that malware and inspection of the code can help narrow it down to potential groups. Next, you can use that information to show potential attacker’s methods, vulnerabilities, targets and operations.
Some organizations are building threat intelligence into their environments to uncover attacks while they are still trying to penetrate systems. There is chatter, or bragging, in the underground market that can be monitored to uncover a hack before it happens.
That being said, it is very difficult to keep up with the data in the underground market. There are billions of info sets to sift through on the dark web. For instance, no longer are credentials only compromised. You can now go to the dark web and purchase those credentials along with the other authentication you may need to prove identity, including secret identity-proving questions the user has set up, for all accounts on a specific computer. It has become much more sophisticated than solely usernames and passwords being stolen.
Cyber risk monitoring is trying to combat this activity. There are privacy-screening tools to help uncover when data is leaking. This software searches for information like ‘beacons’, very similar to a cookie, that hackers apply to monitor users’ behavior. For retail organizations, for instance, this is a huge compliance issue because they are leaking customers’ data. Also, there are third-parties trying to purchase information to see buying behavior. This is similar to what we have seen recently with Facebook. Hackers use these monitoring tools to help steal data, but now organizations are using the same data to help protect their systems.
There is a lot of information out there, and it is getting more specific. It is important to know that there is now an industry out there to compile information on the threat actors. Standard I.T. is not enough anymore. Threat intelligence is necessary risk management tool to build a strong defense and response.