Photo credits: 123rf.com
The CEO says, “We don’t have time to listen to the weather news; there is too much to do.”
His personal assistant replies, “A snowstorm might keep our employees from showing up at work and that would cost us more.
Has this ever happened to you? You forgot to check the weather forecast before driving into a snowstorm or a rainstorm. You promise yourself that would never happen again but it does. It has happened to me a couple of times but one particular experience taught me a lesson.
I drove my wife to a client’s location in Saltsburg Pennsylvania for a three-week audit. It was getting dark but I knew I would be able to make it back to Morgantown West Virginia before midnight.
The problem was I took a back road and then it started snowing. The snow got much and then turned into icy rain. I did not check the weather forecast as I would have been informed about the expected severe weather. My car started skidding and I somehow got stuck in a secluded area on black ice. I got out of the car but could hardly walk on the ice. I was stuck for what looked like hours but it was just a few minutes really. I sat there not knowing what to do until a policeman came by and offered me some assistance.
This experience thought me the value of listening to the weather news and also in correlation; the value of threat intelligence to the success of an organization’s effort in achieving its goals and objectives.
The weather might not cost your organization as much as a cyber threat would do and that’s why we need security intelligence.
Security Intelligence can be defined as the process through which data that is generated in the ongoing use of information systems is collected, processed, analyzed, and disseminated to provide insights into the security status of those systems.
The systems used to store, process and secure your critical data usually generate some form of data which according to best practice are logged and correlate for insightful decision-making. This form of intelligence is focused on your immediate business environment.
Cyber Threat Intelligence on the other hand is the process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources to provide data about the external threat landscape
Just like when I drove out into the snowstorm; I was limited by the information I had, Organizations are often limited by the information they have and Looking for information from inside and outside sources is very vital to the survival of any organization and the achievement of its goals.
One of the PCI DSS requirements mandates that organizations that store or process credit card information must look outside the organization for intelligence sources to assist with their vulnerability management.
PCI-DSS Requirement 6.1: “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
Organizations use Cyber intelligence to predict and adapt to the behaviors of malicious actors whether they are criminal groups, activists, or even nation-states actors.
The forms of this information include:
Information about the malware and adversary uses of known command and control nodes as well as specific TTP (tactics, techniques, and procedures) used by these attackers.
Using Cyber intelligence information along with risk assessments, organizations can fine-tune and tailor their defenses against the threats that are specific to their environment more effectively and cost-efficiently.
- This information could come from different sources:
- OSINT or what is referred to as open source intelligence: These include data that is available to use without a subscription which may include threat feeds similar to the
commercial providers, and may contain reputation lists and malware signature databases. Examples are listed below:
▪ US-CERT
▪ UK’s NCSC
▪ AT&T Security (OTX)
▪ MISP
▪ VirusTotal
▪ Spamhaus
▪ SANS ISC Suspicious Domains
2. Proprietary : Proprietary threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee.
The properties of this information include:
- Timeliness: Property of an intelligence source that ensures it is up-to-date
- Relevancy: Property of an intelligence source that ensures it matches the use cases intended for it .
- Accuracy: Property of an intelligence source that ensures it produces effective results.
- Confidence Levels: Property of an intelligence source that ensures it produces qualified statements about reliability.
In case you are interested it would snow all day tomorrow, at least where I live. That might not be as important to you as having timely relevant security intelligence to protect your critical assets.