Information sharing is one of the most critical elements of any security strategy. Without it, security has to be painted with a broad brush where literally anything is possible. Being able to compare the device or network you are trying to protect against a set of threats that are known to be currently active is invaluable in pitting the right resources and countermeasures against the appropriate target.
The goal has to go beyond simply blocking an attack before it can breach the network. The objective also has to include disrupting its ability to achieve its ultimate goal. Which means your security strategy needs to also include seeing and disrupting an attack somewhere along the kill chain, from initial system probing to network penetration to the final exfiltration of data. All kinds of threat intelligence come into play to make this possible. It goes beyond signatures or details tied to a specific threat. Intelligence also needs to provide information and context about attack methodologies, such as the tools used to obscure a break in, how an attack hides inside network traffic or evades detection, the sorts of data being stolen or malware being planted, and how an attack communicates back to its controller. Seeing and understanding these steps in an attack enables it to be disrupted at any of those points. And finally, threat intelligence needs to be leveraged to respond to an attack, whether it provides forensic analysis for a full recovery, to attribution and prosecution of the attackers themselves.
In fact, the Cyber Threat Alliance (CTA) and its members are developing a series of playbooks designed to walk end-users and customers step-by-step through the methodologies and procedures cybercriminals use to bypass security deployments and achieve their nefarious goals. By taking the specialized security intelligence of CTA members and converting it into a library of security playbooks, users and organizations will now be able to better recognize and stop threats in progress anywhere along the attack kill chain rather than at just the perimeter.
To leverage this sort of intelligence, organizations need to access a variety of threat intelligence sources. These include:
1. Actionable intelligence shared by manufacturers: This is the most common use of threat intelligence. It usually arrives as part of a regular security update from a manufacturer, often in the form of a signature that can detect a known threat.
2. Intelligence collected from local devices and systems: Establishing a baseline of normal network behavior allows you to determine when something is behaving out of character. Data spikes, a device attempting to contact other devices it doesn’t usually communicate with, unknown or unrecognized applications running on the network, or data being collected and stored in an unlikely place are all forms of local intelligence that can be used to identify an attack an even pinpoint which devices have been compromised.
3. Intelligence gathered from distributed devices and systems: This same sort of intelligence can be collected from other areas of the network. As networks expand, they create new opportunities for threats to infiltrate your network. However, because different network environments, such as virtual networks or public cloud environments, usually run separate, and often isolated networking and security tools, it is essential that you set up a process for the centralized collection and correlation of these different intelligence threads.
4. Intelligence gathered from threat feeds: Subscribing to public or commercial threat feeds enables organizations to enhance the data they collect from their own environment with real-time information collected from a regional or global footprint. This data usually comes in one of two forms:
· Raw feeds: Most security devices cannot consume raw data because it lacks context. Instead, this intelligence needs to be processed by a local security team or customized tools in order to convert it into an actionable format that can be used by existing security tools. The advantage to raw data feeds, however, are that they are often closer to real-time in their information, can often be cheaper to subscribe to, and can be easily used as trusted blacklists or ACLs.
· Custom feeds: This intelligence provides pre-processed security context that can be consumed by security tools, such as specific intelligence delivered using customized IOC’s (indicators of compromise). Vendors may customize this data for consumption by a specific set of security devices, or organizations may need to ensure that existing security tools support certain common protocols for reading and using this data.
Many of these feeds can provide specific intelligence designed for a particular security infrastructure. Fortinet’s Threat Intelligence Service (TIS), for example, adds customized security insight to the Security Fabric that not only provides insight into the current global threat landscape, but also ties that intelligence to an organization’s specific security environment in order to better determine how to prioritize security resources to address those threats.
5. Intelligence shared between industry peers: There are a number of groups that share threat intelligence, including ISACs (Information Sharing and Analysis Centers) and ISAOs (Information Sharing and Analysis Organizations), which share threat intelligence between organizations in the same market sector, vertical industry, or geographic region. This intelligence is especially helpful for zeroing in on trends and threats that are impacting your peers, and are therefore more likely to affect you as well.
6. Intelligence transportation: For security intelligence to be effective, organizations need to have tools in place that can work with STIX and TAXII protocols, as they are the backbone used to deliver these feeds. STIX can be used for both raw and custom feeds, with TAXII functioning as the transport layer. MISP is another protocol, developed by NATO, which handles both the intelligence and transport with a single open source solution.
7. Intelligence shared between security vendors: The public doesn’t ever see some of the most important threat intelligence sharing that occurs. As a founding member of the Cyber Threat Alliance, or CTA, Fortinet and other members share their intelligence, human expertise, and playbooks with each other in order to raise the bar for security. While such a cooperative endeavor may seem counter-intuitive, it is a testament to the importance of sharing threat intelligence. These organizations understand that the opportunity to reduce the number of threats that put everyone at risk is more valuable than whatever advantage keeping this data to themselves might provide.
Implementing an effective threat intelligence collection and sharing process is an essential component of any security strategy. It is every bit as important as the firewall you deployed at your network edge or the endpoint security solution you have loaded onto your company’s laptops. While intelligence is important, as is threat sharing, access to real-time, actionable intelligence is still key. It answers the question, “how do we utilize this threat intelligence?” The answer could be by integrating CTA-member technologies into your security stack. Or it could involve deploying solutions that add threat visibility to your security operation center, or that help C-level executives see and understand how the organization is able to react and respond to threats. It’s all about context. Raising the bar on threat intelligence in this way, by understanding the threats both on your distributed network as well as those from global intelligence sources and points of view. Because sharing your own threat intelligence with others, makes everyone safer.
Check out our latest Quarterly Threat Landscape Report for more details about recent threats.
Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.
This byline originally appeared in CSO.