The more you know

The phrase “The more you know” was a widely popular expression in the United States in the late 80’s used during public service announcements intent on educating the public on various topics. However, the expression holds value in cybersecurity as we use knowledge sharing to help others who are often fighting the same adversaries, on the same battlefield, with the same tools. This information sharing can be instrumental in helping organizations overcome the daily barrage of attacks they face.

So, what is threat intelligence? Threat intelligence in cybersecurity refers to the collection, analysis, and dissemination of information about current and potential attacks that threaten the security of an organization. It can be leveraged in the broader security program of an organization to enable them to understand the threats they face, including the tactics, techniques, and procedures (TTPs) of adversaries. By utilizing this intelligence, businesses can enhance their security posture through implementing strategies and defenses tailored to counteract specific threats, thereby minimizing the risk of a successful cyber-attack.

Threat intelligence provides something else. The ability to know whether there are vulnerabilities that require immediate attention. One of the biggest challenges for most organizations is understanding where to focus their limited resources while managing the ever-growing backlog of security findings. While, of course, numbers vary widely, mid-size organizations can have thousands of vulnerabilities in their backlog when you include applications, OS, host, infrastructure, network, and cloud vulnerabilities. Consider that in 2023, over 26,000 vulnerabilities were published. 25% of vulnerabilities were immediately targeted for exploitation. Those numbers should give many of us in the cyberspace sit up straight.

However, of the vulnerabilities identified, a tiny fraction (under 1%) presents the greatest risk. This critical group includes vulnerabilities for which there are known exploits, those actively targeted by ransomware and malicious actors, or those with verified instances of exploitation. What does that tell us? Possibly that we don’t need to drop everything when a new vulnerability comes out. Possibly that we don’t have to manage that full backlog.

But it also tells us that when we narrow our focus to actionable intelligence, we can be more effective and more efficient. How do we get to a place where we have actionable information?

It’s more than just more noise.

There are a few primary types of threat intelligence. Strategic, tactical, and operational.

Strategic Threat Intelligence (STI) analyzes broad cybersecurity trends and their potential impact on organizations, focusing on understanding the motivations, capabilities, and targets of threat actors. This intelligence is key for executives to develop informed risk management strategies.

Tactical Threat Intelligence (TTI) delves into the specific tactics, techniques, and procedures (TTPs) used by attackers, employing threat hunting to uncover hidden threats. This more technical intelligence is crucial for IT and security operations teams to bolster defenses and enhance incident response.

Operational Threat Intelligence (OTI) provides real-time information for immediate threat detection and response, essential for CISOs, CIOs, and SOC teams to quickly counteract imminent threats.

The different levels each have their space in an organization. Strategic Threat Intelligence may lead to new investments in technology or training programs if there is an emerging threat targeting similar organizations in the same industry. For example, the CISO may receive STI informing them that there is an increased likelihood of ransomware targeting them and similar businesses through a phishing campaign. This may initiate a formal review and gap analysis of the organization employee phishing readiness, incident response, and backup strategies.

At the tactical level the TTI would enable the security operations center (SOC) to identify specific TTPs that are utilized in the phishing campaign as well as the command-and-control infrastructure and make-up. This intelligence helps them quickly identify the attack's nature, source, and methods, allowing for immediate containment and mitigation actions to prevent or minimize damage.

Finally, at the operational level, by utilizing OTI for immediate data analysis, the SOC can swiftly pinpoint the characteristics, origin, and tactics of an attack. This enables prompt measures for containment and mitigation, aiming to either prevent or significantly reduce the extent of harm.

The usage of threat intelligence in the overall management of vulnerabilities allows for the organization to focus on the actionable, exploitable, looming threats. It is not designed to replace generic vulnerability management, but rather enhance and provide focus and priority for already overworked security teams.

Sharing is caring.

While organizations can gather intelligence information from multiple different sources, it’s important to know that many will rely on collaborative efforts to stay ahead of emerging threats and vulnerabilities. This collaborative spirit finds its way into various platforms, including Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs).

ISACs serve as focal points for specific industries such as finance, healthcare, or energy, where many of the cybersecurity threats facing organizations in those industries can be novel and specific. These centers gather intelligence on threats and vulnerabilities within their respective sectors and facilitate information exchange among member organizations. For instance, in the financial sector, the Financial Services ISAC (FS-ISAC) acts as a hub for sharing critical cybersecurity information among banks, insurance companies, and other financial institutions. Through this participation and collaboration, member organizations can collectively strengthen their cyber defense mechanisms.

On the other hand, ISAOs operate on a broader scale, not limited to industry-specific boundaries in order to foster collaboration across diverse sectors. Unlike ISACs, which focus on critical infrastructure sectors, ISAOs cater to a wider range of organizations, including small and medium-sized enterprises (SMEs), academic institutions, and government agencies. By pooling resources and sharing insights on cyber threats and mitigation strategies, ISAOs empower a diverse array of entities to bolster their cybersecurity posture collectively. Although the ISAO has broader appeal, the adoption and activity level varies.

“What an ISAO does depends on its membership and what its purpose is.” – Greg White Executive Director at UTSA.

At the heart of these collaborative efforts lie standardized frameworks for identifying and addressing cybersecurity vulnerabilities. Frameworks like the Common Vulnerabilities and Exposures (CVE) system provide a unified platform for cataloging and describing publicly disclosed vulnerabilities. If you’re not familiar (if you’re in cybersecurity, you should be) with CVE’s, each one is assigned a unique identifier, enabling us security folks to speak the same language about specific security issues and coordinate patch management efforts across different platforms and organizations.

The Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog, which highlights vulnerabilities actively exploited by cyber threat actors. Although similar to CVE, KEV specifically pinpoints vulnerabilities that threat actors are actively exploiting. This focus helps organizations prioritize which vulnerabilities to patch first, based on the reality of current cyber threats.

We may not think of these as explicitly threat intelligence but ISACs, ISAOs, CVEs, and the CISA KEV catalog demonstrate the power of collaboration in the context of cybersecurity. By sharing information, resources, and best practices, organizations can hope to effectively understand the adversarial environment.

Feeds as far as the eye can see.

While sharing of data and collecting vulnerability information has been instrumental in identifying and managing vulnerabilities, we’re living in an automated world. This is where feeds and research come into play. Many of which can be integrated with the security products and processes that already exist in the organization.

Firstly, look inward. Using internal data for cyberthreat intelligence involves analyzing an organization's own collected data, like network/application logs and incident response, to detect potential security threats. For instance, unusual increases in outbound traffic may indicate data exfiltration. Reviewing how past attacks were handled can also sharpen defenses against future threats. This method offers bespoke insights into an organization's specific vulnerabilities, allowing for more tailored defense strategies. However, relying solely on internal data may limit the scope of threat awareness to previously encountered or known issues.

Open-Source Intelligence (OSINT) leverages publicly available information to inform on potential cyber threats. Organizations use OSINT by analyzing data from various public domains such as news websites, online forums, blogs, and social media platforms. For example, a security team might monitor specific hacker forums known for sharing exploit techniques or use social media to track trends related to cybersecurity threats. This approach allows for the early detection of emerging threats by understanding the tactics discussed in public spaces, providing a broader context to the cybersecurity landscape.

OSINT can often lead to dark web monitoring which involves analyzing the wild recesses of the dark web, where cybercriminals often gather and exchange goods and services. This monitoring involves actively searching, scanning, and collecting data from the dark web to identify potential cybersecurity threats and stolen information. By keeping an eye on these hidden forums, security teams can gain early warnings about breaches, stolen data, and emerging threats, enabling them to act swiftly to protect their systems and data from being exploited by malicious actors lurking in the depths of the internet. And yes, it’s not uncommon for an organization to find their own data on the dark web without knowing they were breached!

There are services too. Threat data feeds are provided by specialized firms. They deliver real-time information about new and emerging threats, vulnerabilities, and exploits, allowing organizations to swiftly identify and respond to potential security risks. This intelligence gathering from a third party provides a force multiplier to the security organization, allowing them to ingest and respond to information as it becomes available. InfraGard, AlienVault Open Threat Exchange (OTX), and BlockList are three open-source services that can be used to collect data.

Probably the most important part of having access to this wealth of knowledge is how it will be integrated into the threat intelligence platform of choice (there are several out there like Anomali ThreatStream, LookingGlass, and Recorded Future). However, it’s important to ensure that the intelligence that is gathered it in an ingestible format. Threat intelligence data comes in various formats:

• Structured Threat Information eXpression (STIX) represented in JSON or XML

• Trusted Automated Exchange of Indicator Information (TAXII) for standardized threat data exchange similar to HTTP.

• PDFs are used for detailed reports with analysis and indicators.

• CSV files share simple lists of indicators like IP addresses.

• MISP platform, specifically designed for threat sharing, supports multiple export formats, including JSON and CSV.

The choice of format depends on interoperability with tools and workflows for effective threat intelligence sharing.

How does this work in product security?

Great! There are a lot of resources, tools, services, feeds, and people that can help with threat intelligence. How does this become reality in a product security program? Like most things in IT and cybersecurity, operationalizing threat intelligence within an organization requires a systematic approach that aligns with the organization's goals, resources, and (most importantly) the risk profile. Here are five key action items to drive this process:

Assess the needs: How do you know if you even need, or can manage, incoming threat intelligence? The first step is to conduct a comprehensive assessment of the organization's threat intelligence requirements. This evaluation should consider factors such as industry regulations, the organization's size, the nature of its digital assets, and its risk tolerance. By understanding these factors, the organization can determine the types of threats it is most likely to face, and the level of threat intelligence needed to mitigate those risks effectively.

Implement Tools: Who doesn’t love a new security tool! Once the threat intelligence needs are identified, the organization should deploy appropriate threat intelligence tools and services to gather, analyze, and utilize threat intelligence (see above). The chosen tools should integrate seamlessly with existing security tools, processes, and people while providing actionable intelligence that aligns with the organization's objectives. More importantly, the data exchange needs to be in a common format for ease of ingestion.

Establish Processes: Establishing clear processes is not merely about ensuring alignment on operational procedures; it's a fundamental requirement for the efficient deployment and application of threat intelligence within an organization. The organization should define workflows for data collection, analysis, dissemination, and feedback incorporation. This includes evaluating the relevance and credibility of intelligence, and determining how intelligence will be shared with relevant stakeholders as some of this intelligence can be extremely sensitive. Additionally, processes should be in place for integrating threat intelligence into incident response procedures and security operations center (SOC) workflows.

Train Personnel: Building that culture of cybersecurity awareness and proficiency isn’t just for keeping users from clicking on phishing links it is also critical for the successful implementation of threat intelligence. Organizations should provide training to their security personnel on threat intelligence methodologies, tools, and best practices and how it’s used in the organization. This training should be tailored to the roles and responsibilities of different team members, ensuring that they have the knowledge and skills needed to effectively leverage threat intelligence in their daily activities.

Continuous Improvement: Organizations must adapt their threat intelligence processes according to the changes in the threat landscape and organization. If an organization moves into a new vertical their needs around threat intelligence will change. The organization should regularly review its threat intelligence processes, incorporating feedback from stakeholders and lessons learned from past incidents. This may involve updating tools and technologies, refining analysis methodologies, and enhancing collaboration with external partners and information-sharing networks.

Knowledge is power!

Effective operationalization of threat intelligence is paramount for organizational cybersecurity resilience. Threat intelligence encompasses the collection, analysis, and dissemination of pertinent information regarding potential cyber threats, offering strategic insights for mitigating risks. By prioritizing vulnerabilities actively exploited by threat actors, organizations can optimize resource allocation and respond judiciously to imminent threats. This demands a systematic approach involving thorough assessment of organizational needs, implementation of appropriate tools, establishment of clear processes, and continuous training of personnel. Collaboration through platforms like ISACs and ISAOs and adherence to standardized frameworks such as the CVE and KEV systems are integral facets of this process. Embracing a culture of collaboration and continuous improvement empowers organizations to navigate cybersecurity challenges with resilience and confidence.

So, remember folks, “the more you know!”