There are almost as many definitions of Threat Intelligence as there are security vendors!
In my view, Threat Intelligence is the capacity to identify the signs of compromise in an infrastructure that the organization must do something about. To do that, the logs in that infrastructure must be analyzed so as to identify the faint signals that can indicate a potential attack.
In a Big Data environment, event and security data management by a SIEM can facilitate the detection of abnormal activity. Having logs for correlation and investigation is clearly fundamental to every organization. These logs supply data on everything that happens in a network, whether it’s tight-knit or spread out; on workstations, servers, and applications. Fraud, external attacks, and errors can be discovered thanks to the analysis of events generated in the network and by the footprints they leave.
The sorting of this collected information is invaluable; you could say that it’s like finding a needle in a haystack. However, that supposes – and this is crucial – a contextual analysis of the collected data.
- Which of these records are the important ones?
- How do you figure out if something that seems to be working normally is, in fact, a malicious activity or the clue that an attack is taking place?
An attack is often effectively polymorphic, with actions on many levels or using decoys.
Example of Threat Intelligence in Use
Here’s an example to illustrate the usefulness of Threat Intelligence:
A group of hackers is using a new method to attack the most widespread electronic messaging system in the world. This type of attack has never been used before and no safety measure to combat the situation is in place. Anti-virus, firewall and IDS systems are blind and don’t recognize the attack.
In this example, the hackers attack several targets. But via the use of SIEM, these attacks are captured, analyzed and their methodology identified. This methodology is set down in a common language and distributed. This description can then be transmitted automatically and used to detect the faintest signs of the attack when it occurs.
Thanks to Threat Intelligence, the attacks have thus been captured, described and shared throughout the team – at the same time taking into account the context that’s essential to monitor the evolution of attacks from day to day.
Integration & Automation
LogPoint, for example, allows the integration of more than 100 data sources on threats, relying on Critical Stack or Emerging Threat among others.
Everything is normalized in a single language. Starting from this point, analysts can automate event interrogation, screening hundreds of thousands of indications of compromise to evaluate the data based on known attacks. The effectiveness of organizational infrastructure protection necessarily relies on a knowledge of the characteristic techniques of a threat, so as to identify and collect data on that attack methodology or other proof of compromise.
With LogPoint the sharing of this information can be at top speed, almost in real time. Obtaining the analysis of useful information that allows the countering of diverse threats is always a more complex challenge, taking into account the permanent evolution of risk and methods of attack.
That’s why Threat Intelligence is an aspect of cybersecurity that no-one in charge of a network can afford to ignore or leave aside. Its role in network defense is now proven, and the threat data collected has an indisputable value for organizations. In effect, they give decision-makers a reliable basis to help confirm the benefits and consequences of their decisions.
You are always welcome to get in touch if you have any questions! Find your local LogPoint office here.