Getting value from threat intelligence

Whether you run a security function, manage systems, or perhaps run a organisation in its entirety, a key responsibility is being aware of threats to your organisation. If your company uses IT, then information security risks should be considered as one of the most critical to your organisation. Dealing with these risks requires you to know they exist, and this is where threat intelligence is used. However, if you’re not careful, you’ll be staring at a mountain of technical, potentially conflicting, and useless information that will do nothing to make your organisation more secure.

Larger organisations that have IT departments, and more often than not a dedicated security team will already understand this. However moving to the SME, you’ll find comments ranging from “I understand, but what do I need to do?”, though “That’s interesting, but I have an IT guy to deal with it”, and onto “But my company’s job is to sell widgets, why do I care about that?” There’s a figure circulating on the internet that 60% of small and medium sized companies fail within 6 months of being hacked. This figure cannot be collaborated, so should be treated as suspect, however with the cost associated with a breach starting in the thousands and growing explosively, it’s not hard to believe

So how do you get the most value from your threat intelligence, and how do you use it to keep your organisations safe?

Using the news

No matter how big your organisation is, or what your position is, the news is a great source of threat intelligence once you know how to interpret it. If you go looking blindly, you’re going to be overwhelmed by a torrent of information.

In my news feed, I get up to 30 daily articles, and I get a daily report from one of my company’s threat feeds which may contain another 10-30 items (Some of which I’ve already seen, others I haven’t). On top of this, I receive weekly alerts, and periodic updates from the National Cyber Security Centre (NCSC). I try to dedicate 30-60 minutes of my working day to horizon scanning using these feeds.

A selection of news feeds for Threat Intelligence
A selection of my publicly available news feeds. I use the Feedly RSS aggregator to keep these organised and in one place.

Obviously, reviewing up to 50 news articles, and forming a considered opinion of how it applies to your organisation is far more than can be done in 30-60 minutes, and if you’re not actively involved in security, is not something you’re going to be able to do every day. This means you’ll need to filter what you read, and depending on your situation, ask certain questions of yourself and others.

Consider the three scenarios and choose the one that applies most closely to you:

1. I am responsible for information security in an organisation that does not have IT or security staff

In this scenario, try to spend at least half hour per week reviewing the news. Things to consider:

Definitely read:

  • Legislative and Regulatory changes, such as The Register reporting on a Franco-German cloud security framework that could change the way your organisation uses the cloud if you have a European presence.
  • Breaches involving novel attacks, such as these man-in-the-middle frauds that, while not sophisticated, haven’t been widely seen before and could therefore put your organisation at risk.
  • News involving your industry peers where they have suffered a compromise or made a faux-pas. If they were targeted, could you be next; or could their actions spark a thematic review if you’re part of a regulated industry?
  • Anything that could involve changes to the way your organisation operates such as Covid-19. While it isn’t a security threat in and of itself, the way it caused a rapid and unplanned move to remote working for many organisations could open you up to compromise.

Less important to read:

  • News about attacks using well known techniques such as a ransomware attack against a significantly different company. Such attacks are common and you should have already considered the risk of it to your organisation.
  • News about attacks against systems and technologies your organisation isn’t using. If you don’t have your own e-commerce system, then there is likely to be little about the Easyjet breach of relevance to your organisation.

These should be skimmed on a case by case basis for reference to incidents involving systems used within your organisation.

Questions to ask:

  • “Do I understand what this means to my organisation?” If not, consider seeking external guidance. Many companies ignored the GDPR changes because they didn’t understand the significance, despite it resulting in major changes, even to organisations with minimal use of IT.
  • “If this impacts me, do I know what to do?” Again, if not, consider seeking external guidance.
  • “If I need to take action, how urgent is it?” Some news will require you to take action immediately, other news (especially regarding regulatory changes) may take some years to become relevant, but you still need to be aware of it.

2. I am accountable for my organisation’s information security, but responsibility has been delegated:

In this scenario, you can spend less time reading the news, however spending an hour a month allows you to provide appropriate challenge to those maintaining the security of the organisation and ensure that key risks are being addressed.

In terms of what you should read and don’t need to worry about, it’s much the same as above. The questions you should ask change however:

  • “Are you aware of this?” While your security team should be aware of the news you’ve read, never assume they are!
  • “What risk does this pose to the organisation?” The person you’re asking should be the expert, with an appropriate grasp of your organisation’s business to be able to articulate the risk.
  • “Does their explanation correlate with mine?” If your understanding of the risk and theirs differ significantly, take time to establish a shared understanding.
  • “Do you have what you need to deal with this?” If the risk applies to your organisation, it could result in significant changes that may need additional funds and/or resources.

3. I am a Security Analyst or Security Manager for my organisation:

In this scenario, you should be dedicating a portion of your day to reviewing security-related news. 30-60 minutes per day would be appropriate. You’ll be looking at the news in more detail and building an understanding of wider security trends.

Definitely Read:

  • Anything your boss should be reading: If your boss has read about it, expect to be asked the questions above.
  • News relating to attacks against other organisations that could affect you. Just because an attack is common, or against a totally different industry sector, attempt to understand what went wrong for them and whether that could affect you.

It is worth taking a 30 second skim read of any other article. Just because it may not initially seem relevant to you, it doesn’t mean that there isn’t a small connection to your organisation. An analyst reading about the Travelex breach in early 2020 should have spotted that the compromise involved the Pulse Secure VPN – which should have then raised a red flag for other organisations using the same platform.

Getting Organised:

Don’t rely on Google for this! Get yourself organised with a news feed aggregator where you can add in the news feeds of websites you have found useful information on previously. This will allow you to quickly sort through and find relevant articles from large amounts of information, as well as saving them for later review.

Questions to ask:

  • “Does this affect my organisation?” Establish if your organisation is vulnerable to, or otherwise affected by the news.
  • “Is this a new or developing situation?” If it’s a developing situation, you need to understand has the risk changed, and the background to the story.
  • “How much risk does this present to the organisation?” You should establish this and compare it with your organisational risk appetite. If it’s above that appetite, then you will need to consider how the risk can be managed.
  • “How can we manage this?” You should use appropriate assurance to determine your exposure to the threat, and understand what people, process, and technology changes may be needed.

What to prepare:

  • Prepare a brief summary of news that is directly relevant to your organisation based on your review above.
  • For each item include guidance for managing the impact of that news on your organisation. This guidance should be coached in terms of action the organisation is taking or should take in lieu of general advice.

Get intelligence that applies to you

Once you’ve harvested all the information that’s publicly available and worked on it’s impact to your organisation, you can go a step further and understand which threats may be targeted at you directly.

If you’re a small to medium company that’s not working in a niche or high-profile market, the likelihood of your organisation being explicitly targeted is very low, in which case you can safely ignore this section. Otherwise read on, as the best intelligence is that which is directly applicable to your organisation.

This type of threat intelligence will be delivered through a Security Operations Centre (otherwise known as a SOC). Very few organisations can justify the expense of running a 24×7 operation, so most SOCs are of the managed variety, through an Managed Security Services Provider (MSSP), of which there are a wide range available from small companies to large multinational organisations that can provide a wide range of services.

What a SOC service will do for you is collect events from your servers; desktops; firewalls; and other devices connected to your network, and alert on potential threats, or indications of compromise. If they find something suspicious, or potentially suspicious, you’ll be emailed about it and given guidance on how you can go about fixing it. If there’s evidence that you’ve already been compromised, expect a phone call – even if it’s 3am – on Christmas day! Just because you’re not working, it doesn’t mean the criminals are taking a holiday.

Other services you may get from a SOC include targeted searches for information about your organisation and its high profile staff. This may include searches on the “dark web” – the bit of the internet not accessible via a normal web browser, and a known hotspot for illicit online activity. This is where you may find out about information about your company that is being traded online, or where your executives’ emails have been stolen.

Additionally consider investing in a vulnerability management tool, which will scan your devices for missing patches or misconfigurations which could allow a threat to compromise your organisation. Such scans should be run regularly and findings remediated promptly.

In Conclusion

This may be a lot to take in, but essentially distils down to a saying along the lines of “It’s less painful to learn from someone else’s mistake than your own.” Using threat intelligence intelligently is the key to doing this. Reading the news should never be seen as a luxury, rather it should be seen as an essential part of the job and encouraged.

I encourage my teams to spend a little time every day doing some reading in the manner discussed above. Where it reveals something on interest, I make a point to discuss it within a team meeting such that everyone understands the significance of it.


Leave a Comment

Your email address will not be published. Required fields are marked *