What if you could anticipate cyber threats before they strike, knowing the who, what, and why behind every attack? This isn’t just a cyber security dream; it’s the power of threat intelligence. But what exactly is threat intelligence, and how can it be harnessed to protect your organisation?
In a recent episode of the CheckITOut podcast, two leading experts in cyber security explored this vital topic. Gavin Rae, Senior Security Solutions Engineer at Rapid7, and Pete Livingstone, Security Specialist at The Missing Link, delved into the sources of threat intelligence, its practical applications, and how businesses can leverage this critical information to stay ahead of cyber threats.
The sources of threat intelligence
Threat intelligence draws from various sources to provide a comprehensive understanding of potential threats. These include open-source intelligence (OSINT), which involves publicly available information from websites, forums, and social media. OSINT offers valuable insights into threat actors and their activities. On the other hand, closed-source intelligence (CSINT) is obtained from proprietary or subscription-based services, offering detailed threat analysis, indicators of compromise (IOCs), and customised reports.
In addition to these sources, Information Sharing and Analysis Centres (ISACs) play a crucial role in the cyber security ecosystem. These industry-specific organisations facilitate the sharing of threat intelligence within sectors such as finance or healthcare, enabling collaboration against common threats. Even in competitive industries like banking, security teams often work together through ISACs, sharing tips and insights to combat shared threats. Government agencies, like the Australian Cyber Security Centre (ACSC), also provide essential resources to help organisations stay ahead of emerging threats.
Building a threat intelligence framework
To effectively implement threat intelligence within an organisation, the first step is to identify the key event sources of interest. Integrating logs from various sources—such as cloud services, authentication systems, and SaaS platforms—into the Security Operations Centre (SOC) is essential. This enables security teams to detect attacker behaviours, respond to alerts, and ensure critical logs are continuously monitored.
A common challenge for operations teams is the cost associated with log ingestion into Security Information and Event Management (SIEM) systems. Many SIEMs are licensed based on ingestion volume, which can lead organisations to limit the amount of data they collect to manage costs. However, choosing a solution that licenses based on asset count rather than ingestion volume can help organisations collect more data without incurring additional costs.
Technical considerations for SOC Managers:
To effectively manage and secure your SOC, consider the following key technical aspects
-png.png?width=1500&height=768&name=Technical%20considerations%20for%20SOC%20managers%20(2)-png.png)
Leveraging threat intelligence across the organisation
While threat intelligence is vital for security teams, its benefits extend beyond IT. For instance, procurement teams can use threat intelligence to anticipate disruptions in global supply chains, while strategic leadership can leverage it to make informed decisions about mergers, acquisitions, or market expansion.
Digital risk protection tools can monitor an organisation's digital assets across the Internet, tracking domains, brand names, social media accounts, and potential imposter sites. These tools provide alerts for suspicious activities like fake LinkedIn accounts or compromised customer accounts, helping protect brand reputation and prevent fraudulent activities. Some tools also extend their monitoring to the dark web, scanning forums and marketplaces for compromised assets and customer data.
The role of managed services in threat intelligence
For small to medium-sized businesses that may lack the resources of larger organisations, partnering with a managed service provider can be transformative. Managed service providers offer the expertise, tools, and processes needed to monitor, control, and investigate threats. This partnership allows organisations to focus on their core business while ensuring their security posture is continuously strengthened.
Support for analysts: In addition to automated tools, managed service providers often offer access to security analysts who can provide expert advice. For instance, Rapid7's Threat Command includes an "ask an analyst" feature, allowing organisations to seek further validation or clarification on alerts, which aids in informed decision-making.
Key takeaways
Incorporating threat intelligence into your organisation’s security strategy is not just a technical necessity—it's a strategic advantage that can safeguard your business against evolving cyber threats. By leveraging threat intelligence effectively, organisations can enhance their security operations, protect their digital assets, and make more informed business decisions.
Here are the critical steps to take away from this discussion:
- Full visibility: Ensure your SOC has complete visibility into your environment, with as many information sources as possible feeding into your threat intelligence platform.
- Know your landscape: Understand your organisation's attack vectors, vulnerabilities, and external attack surface to prioritise your threat intelligence efforts.
- Start small: Begin by integrating open-source intelligence and government threat feeds. As your needs grow, consider partnering with experts to tailor your intelligence strategy.
These insights, explored in episode 2 Threat Intelligence – effective integration of the CheckITOut podcast, highlight the importance of building a strong foundation in threat intelligence and expanding your efforts to protect your organisation effectively.
For more in-depth insights and expert advice, we invite you to listen to the full episode of the CheckItOut podcast, where Gavin and Pete delve further into the power of threat intelligence and how to stay ahead of evolving cyber threats.
