FortiGuard Labs Perspectives
Digital transformation has helped organizations gain a competitive advantage, but there is a dark side to the continued growth of networks and applications. Namely, more cybercriminals see a ripe opportunity to use critical processes and technologies to exploit businesses.
While most businesses have security measures in place, cyber criminals have responded by becoming increasingly sophisticated. Now, they are using machine learning and AI to take advantage of the expanding attack surface and bypass traditional safeguards. Faced with ever-increasing amounts of alerts and floods of data being collected from endpoints, network and IoT devices, cloud environments, and other areas, organizations are struggling to keep pace, let alone stay ahead of threats.
This poses a question: What can businesses do to thwart the most sophisticated malicious actors? The answer lies in threat intelligence.
Threat intelligence describes a set of tactics, techniques, and procedures that help organizations prevent or mitigate attacks on their network. This intelligence is often acquired by collecting and analyzing historical threat data through a dedicated tool. With that information in hand, you can discover who is attacking your network, why they are threatening you, which tactics they are using, and learn how you can stop them in their tracks.
The availability of reliable and actionable threat intelligence is essential for any effective security strategy. Security tools not only need to be able to gather threat intelligence from the places in the network they have been deployed, but they also need to be able to share and correlate that intelligence across and between all other security devices deployed anywhere across the network. Integrated security platforms that can see, share, and correlate live threat data enable the sort of broad visibility across the network that security systems require to effectively detect and respond to threats.
But that is only half of the equation. Locally gathered threat intelligence needs to be assessed within a broader context of global threats and industry attack trends. This requires subscribing to external threat intelligence feeds from multiple sources. Many security vendors provide external security feeds, as do groups related to an organization, such as ISACs formed around industries or regions. Secondary sources, such as threat reports and updates, are important resources as well.
Threat intelligence is critical to your organization’s security – but making the most of it isn’t always straightforward as purchasing the right technology. Here are three ways that organizations can take their threat intelligence initiative a step further.
For security solutions to be as fast and agile as the networks they need to protect – and the cybercriminals they need to defend against – they need timely and actionable updates to keep pace with the shifting threat landscape. This means that even the fastest and most adaptable security solutions are only as effective as the threat intelligence infrastructure and researchers that support them.
This support can range from threat intelligence and updates to personalized support from skilled cybersecurity professionals to help identify security gaps or recover from cyber incidents. But one of the most critical aspects of such threat intelligence is its ability to be used directly to search for and eliminate new threats. Indicators of compromise (IOCs), the correlation of threats to MITRE categories, and similar information help accelerate security teams’ ability to rapidly and effectively consume threat intelligence.
In general, threat intelligence developed by groups of researchers committed to working together is more useful and reliable than one-off threat intelligence. It’s why threat intelligence providers should have good working relationships with others in the industry. These groups include Computer Information Sharing and Analysis Organizations (ISACs), Emergency Response Teams (CERTs), law enforcement agencies, and other organizations focused on cybersecurity.
But belonging to such cooperatives isn’t enough. Organizations committed to threat research should also be actively involved in the development of industry standards. FortiGuard Labs for example, in cooperation with others, made significant contributions to the development of the STIX/TAXII protocols and the MISP platform – both of which are now used globally to enable organizations, whether they are customers or not, to share threat information and actionable threat intelligence. In addition, FortiGuard Labs maintains a stable of top threat researchers dedicated to identifying and reporting on zero-day threats.
Cyber defenses are only as good as the threat intelligence informing them. And that process starts by building and maintaining good relationships across customers, partners, and vendors. Yet, a key part of the equation is also openly partnering with law enforcement to help turn the tide of cybercrime. It is important to encourage and share intelligence with law enforcement and other global security organizations for the desired goal of effectively taking down cybercrime organizations.
This cooperation is foundational to making it harder and more resource-intensive for cybercriminals to operate and also the best way to end the cycle. Cybercrime has no borders, therefore if we cooperate with law enforcement and work hard to make it more challenging and expensive for them to execute their attacks, the better off we are.