Critical Questions a Threat Intelligence Service should be able to answer

By Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky

The new decade opened with the commercialization of 5G networks, further implementations of Artificial Intelligence, and the increased use of data analytics.

Aside from these revolutionary breakthroughs, there is one underlying trend that we should not miss — the heightened importance of intelligence in this digital age. In Southeast Asia alone, researchers at Kaspersky have monitored an increased activity of major Advanced Persistent Threat (APT) groups waging sophisticated cyberespionage against government-related organizations and even entities.

These malicious actors are upping their game with new attack tools to siphon information from governments, military entities, and organizations. What are they aiming to get their hands on? Confidential intelligence.

Security report says 1 in 3 ransomware attacks target business users

Report reveals 54% of online users don’t know how to check if passwords were leaked

Interestingly, another kind of intelligence can help nations and even enterprises to keep their secret data safe. Threat intelligence. This technology can help an organization understand the threats that have, will, or are currently targeting their networks. It should also serve as a foundation of an organization’s cybersecurity strategy.

I am well aware that there are dozens and dozens of companies now offering this service. How could you pick and assess which provider is better than the other? Let’s go through some vital questions they should be able to answer for you and your security team.

1. How suspicious is this file? In what aspects?

Let’s be honest, there are two realities in an IT security environment of any organization — understaffing and the overflowing detections and false positives. With most IT departments understaffed these days, is your team ready to deal with the overwhelming assault of threat data coming your way?

The reality is, not every file is malicious or requires special attention, with some of them easily dealt with by your basic anti-virus software. A proper threat intelligence feed should be able to filter out false positives and allow you to focus on the threats that really matter.

It is important to clear the line here. Endpoint security does detect but only classifies a file in terms of a basic Clean/Dangerous verdict. That’s it. Analytic tools that should be in a threat intelligence system should be able to provide you with detailed information on how suspicious and malicious a file, a hash, an IP address, and even a URL is.

Such information includes their behavior, the exploit techniques, how rare the detected malware is, what tools were used by cybercriminals to be able to create it, and if you are to use a threat intelligence tailor report, it would be able to provide you with its history, who are its makers, its usual targets, and more.

2. Who is conducting the attack? Is it a trend I should be worried about?

See, a threat intelligence service should be based on a solid database of threats combined with expert analysis. It should not be a mashed-up combination of reports from one company to another.

Why are the comprehensive database and technical insights important? These are foundations of a good threat intelligence. With real-time data from all over the globe and threat monitoring through machine learning analyzed by human brains, you will be able to get a better context about malware.

Your threat intelligence service provider should be able to give you a malware’s full resume, including its malware family, an indication of compromise, historical statistics, and even its alleged “parents”. This is the part where a simple malicious file, hash, URL, and IP address may be linked to an APT attack and it is worth underlining that an in-depth APT report should be part of your threat intelligence service. This report should also include the target sectors, possible attributions, and motivations.

With the report giving context about a simple detection, you will know how to respond and even to beef up your existing security environment.

3. What actions should I take? What security changes should I make?

Now, the million-dollar question for one looking to ask a threat intelligence service: Can you predict the future? Believe it or not, a good threat intelligence service can actually provide you with the answer that might come across as mere fantasy to most people.

As part of your cybersecurity toolkit, a good threat intelligence service should be able to offer you tailored intelligence reporting. Such a report would ideally paint a comprehensive picture of your current attack status, vulnerable spots ripe for exploitation, and revealing evidence of past, present, and planned attacks. Correlating the previous threats, present detections, and the possible future attacks are essential to know how you should adapt your IT security posture. Remember that threat intelligence should always be actionable.

With such unique insights, your organization will be empowered to shore up its cybersecurity defenses and ward off attacks heading your way. With these data, you will be able to get a better grasp on how to handle it and how to move forward. Without these data, your staff may end up chasing their own tails.

These questions represent just the tip of the iceberg but should form the basis of your threat intelligence assessments.

Each organization is unique in terms of infrastructure and policies. One thing is for sure, no sophisticated cybercriminals can outsmart a security defense with a fully functioning system armed with real-time brain juice of threat intelligence.

3 replies »