Threat Intelligence Without Action is Not Intelligent

4 minute read
Rob Kraus avatar

Organizations must invest in threat intelligence to help predict and mitigate threats. However, organizations that don’t combine intelligence with actions to protect themselves from malicious attacks will experience the equivalent of being stranded on the side on the side of the road with an excellent map but no way of getting to the destination.

Threat Intelligence is something the security industry continuously strives to acquire and a vital component of any information security program.

Where is the next attack against your organization going to come from? What capabilities and tools can attackers use against your organization? What threat actors and motives are making your organization a target for a focused attack? These are all very important questions, with answers eluding even the most mature security organizations.

Intelligence Must Drive Action

From a national threat intelligence point of view, the United States government has spent billions of dollars analyzing various information sources in an effort to identify threats before they cripple critical infrastructure. Will the effort pay off? It is hard to quantify, but the efforts move forward even though the costs of implementing the program are indeed staggering.

January of 2012 ushered in a new year of government spending with the National Security Agency breaking ground on a 1,000,000 square foot facility costing approximately US$ 1.2 billion. The facility, located in Utah, is speculated to help bolster the United States’ government information gathering and cyber security agenda.From information gained, plans can be put in place to monitor, interpret and anticipate an enemy’s moves so well that countermeasures can be deployed in a timely and effective manner.

Actionability is the key to any successful security program. Just as an attacker uses intelligence to identify holes in your network infrastructure, you must use threat intelligence to identify potential attackers, their motives and implement the requisite tools, processes and personnel to make use of the information.

Organizations must invest in threat intelligence to help predict and mitigate threats. However, organizations that don’t combine intelligence with actions to protect themselves from malicious attacks will be ineffective at best.Intelligence is only meaningful in the context of how well it can be acted upon. You still have to be able to look at the information in a consumable manner. You need to be able to look at this information with enough context and intelligence that you can take actual, planned actions based on that information. Otherwise, it is just more data.

What 2012 Holds for Security

I predict in 2012 we will see a continuation and amplification of Hacktivism movements as experienced in 2011. Attackers will continue to refine attack methodologies and solicit followers by way of crowdsourcing and using social media as a mechanism to coordinate attacks. Attackers will continue to escalate the complexity of attacks, along with the patience it takes to complete them.

Learning Opportunities

Long gone are the days of kids sitting in their parent’s basement performing random Denial of Service attacks. Those attacks still happen, but the complexity and maturity of current attacks reinforces how capabilities have evolved over the last 15 years.

Making sure threat intelligence is actionable by your organization is the key. Without investing in the proactive detection capabilities inherent in threat intelligence, you will be blind to the past and unable to mitigate current and future attacks.

Some things you can do to give your organization a tactical advantage over your adversaries include:

  • Subscribe to a mature threat intelligence service.
  • Implement robust detective controls.
  • Pay attention to uprisings and focused threats emanating from social media sources.
  • Build internal awareness through an ongoing process to educate business users about hotspot issues and the potential impact of the organization taking a particular stance.
  • Build policies and procedures for escalating and investigating notable information obtained from threat intelligence sources.
  • Review events as you are made aware of them; it does not pay to implement event logging if your organization cannot monitor the events.
  • Augment security staff in places where it makes sense; consider outsourcing some components of your security program to third-party providers having expertise in areas in which your team is struggling.

Above all, remember that security is a journey. Threat intelligence is not autopilot and will not drive your organization to a more effective security posture. Think of it more like GPS, that helps you decide the best direction to turn.

Editor's Note: You may also be interested in reading:

About the author

Rob Kraus

Rob Kraus is the Director of Research for managed security services (MSSP) provider, Solutionary.Mr.