FortiGuard Labs Perspectives
The availability of reliable and actionable threat intelligence is essential for any effective security strategy. Security tools not only need to be able to gather threat intelligence from the places in the network they have been deployed, but they also need to be able to share and correlate that intelligence across and between all other security devices deployed anywhere across the network. Integrated solutions that can see, share, and correlate live threat data enable the sort of broad visibility across the network that security systems require to effectively detect and respond to threats.
But that is only half of the equation. Locally gathered threat intelligence needs to be assessed within a broader context of global threats and industry attack trends. This requires subscribing to external threat intelligence feeds from multiple sources. Many security vendors provide external security feeds, as do groups related to an organization, such as ISACs formed around industries or regions. Secondary sources, such as threat reports and updates, are important resources as well.
In addition, cybercriminals are becoming more sophisticated, using machine learning and AI to take advantage of the expanding attack surface and bypass traditional safeguards. Faced with ever-increasing amounts of alerts and floods of data being collected from endpoints, network and IoT devices, cloud environments, and other areas, organizations are struggling to keep pace, let alone stay ahead of threats. Going the “last mile” to make threat intelligence actionable typically involves human interaction, where it doesn’t always have to. In fact, this could mean that intelligence is sometimes not applied to security controls as quickly as it could be when cybercriminals are moving at an even faster pace, exposing further risk in systems.
For security solutions to be as fast and agile as the networks they need to protect – and the cybercriminals they need to defend against – they need timely and actionable updates to keep pace with the shifting threat landscape. This means that even the fastest and most adaptable security solutions are only as effective as the threat intelligence infrastructure and researchers that support them.
This support can range from threat intelligence and updates to personalized support from skilled cybersecurity professionals to help identify security gaps or recover from cyber incidents. But one of the most critical aspects of such threat intelligence is its ability to be used directly to search for and eliminate new threats. Indicators of compromise (IOCs), the correlation of threats to MITRE categories, and similar information help accelerate security teams’ ability to rapidly and effectively consume threat intelligence.
In general, threat intelligence developed by groups of researchers committed to working together is more useful and reliable than one-off threat intelligence. It’s why threat intelligence providers should have good working relationships with others in the industry. These groups include Computer Information Sharing and Analysis Organizations (ISACs), Emergency Response Teams (CERTs), law enforcement agencies, and other organizations focused on cybersecurity.
But belonging to such cooperatives isn’t enough. Organizations committed to threat research should also be actively involved in the development of industry standards. FortiGuard Labs for example, in cooperation with others, made significant contributions to the development of the STIX/TAXII protocols and the MISP platform – both of which are now used globally to enable organizations, whether they are customers or not, to share threat information and actionable threat intelligence. In addition, FortiGuard Labs maintains a stable of top threat researchers dedicated to identifying and reporting on zero-day threats.
Cyber defenses are only as good as the threat intelligence informing them. And that process starts by building and maintaining good relationships across customers, partners, and vendors. Yet, a key part of the equation is also openly partnering with law enforcement to help turn the tide of cybercrime. It is important to encourage and share intelligence with law enforcement and other global security organizations for the desired goal of effectively taking down cybercrime organizations.
This cooperation is foundational to making it harder and more resource-intensive for cybercriminals to operate and also the best way to end the cycle. Cybercrime has no borders, therefore if we cooperate with law enforcement and work hard to make it more challenging and expensive for them to execute their attacks, the better off we are.