A guide to threat management
A comprehensive collection of articles, videos and more, hand-picked by our editors
Today's business environments are constantly evolving. As technology vendors introduce new and better products that promise great efficiency and returns, IT managers stretch budget money to incorporate as many of these devices into the workplace as they can, often combining them with legacy equipment that's not quite ready to be retired. Plus, the number of computing and networking devices in a typical organization has increased dramatically over the past three or four years, thanks mainly to the trend toward bring your own device (BYOD) and the ubiquity of wireless networking.
All of this has resulted in a heterogeneous, highly distributed IT infrastructure with an increasing number of attack surfaces.
The characteristics and volume of security threats are changing, too. Simply ensuring an organization's firewall, antimalware and similar protective measures are functioning well and are up to date doesn't always protect it from today's malicious threats. Staying on top of the threat landscape is a challenge, to say the least, and can often be overwhelming for busy security professionals, but it's necessary for conducting business safely. That's where threat intelligence services enter the picture.
It's vital to know which threats exist and how they could affect an organization -- especially if those threats could result in confidential data or intellectual property being exposed -- or jeopardize its reputation or financial well-being. Threat intelligence services help mitigate these dangers to the enterprise, which can often seem legion and overwhelming (see next section), by helping organizations better understand the threat landscape. They do this through the gathering, analysis and filtering of raw data about emerging threats that are then collected into management reports and data feeds for automated security control systems.
Possible hacker attacks and threats
The most common types of threats are malware (viruses, worms, Trojan horses, rootkits, etc.), botnets and zero-day vulnerabilities, which encompass nearly any type of malware or exploit for which a countermeasure hasn't yet been developed or distributed. All of these threats have existed for years in different forms and continue to be a pain point for security personnel.
Nowadays, privilege escalation, spear-phishing and hacktivism are rising sharply too, as well as advanced persistent threats (APTs). With privilege escalation, an attacker exploits some sort of vulnerability -- a misconfigured system or a software bug, for example -- to gain administrator access to resources on a network that is usually secure from outsiders. Spear-phishing involves a targeted email attack in which an employee receives an email that appears as though it's from a trusted source, but is from an attacker trying to extort confidential information or commit fraud. Hacktivism is the act of breaking into a network or computer system as a way to protest some political or social situation, and typically involves website defacement, a denial-of-service attack (to prevent others from accessing a website or network) or data theft.
Often misunderstood, an APT is typically well-organized, well-funded, conducted by governmental or nongovernmental actors (which may mean an activist group or some organized crime unit, for example) and can last for months or even years. Such attackers use advanced technologies, select specific targets and then watch those targets until the attack is successful.
Sometimes attackers work in concert, sharing resources, hacking tools, lists of targets and their known vulnerabilities, making these groups appear even more menacing, and definitely more efficient. It's impossible for most IT security personnel to adequately defend against such well-orchestrated threats on their own.
That's why it often pays to subscribe to a threat intelligence service.
Threat intelligence service benefits
A threat intelligence service provides analyzed, actionable threat information to help organizations defend against known or emerging threats before systems may be compromised. Some of the benefits to subscribing to a threat intelligence service include the following:
- A threat intelligence service eliminates the need to manually research, gather and analyze volumes of threat information from multiple sources, mainly across the Internet.
- A service has security analysts on staff that focus solely on intelligence. The analysts perform in-depth analysis of emerging threats, APT characteristics and zero-day vulnerabilities, and have a firm grasp on regional and global events that could affect an organization's operations.
- A service gives an organization access to resources and expertise for a set price that can become a known, budget-able operating expense.
- Some threat intelligence services provide guidance to help a specific organization, or specific types of organizations, "batten down the hatches" and reduce risk. For example, a service could assist an organization in identifying actors who may be targeting its employees, such as spear-phishing attacks conducted via email. The service might also provide mitigation and remediation services if the client organization is compromised.
Essentially, a threat intelligence service can help an organization take proactive steps to dramatically reduce vulnerabilities and any related risk, and focus on the business at hand.
However, not every organization is a good candidate for a threat intelligence service, partly because a comprehensive intelligence subscription can be costly. An organization needs to look at its overall security strategy, the value of the assets it needs to protect, and the capabilities of its security staff to determine if a threat intelligence service is a good fit.
Threat intelligence scenario #1: Organization with limited exposure
A low-exposure organization may be very small, relatively obscure or have a limited Internet presence or a website that only provides information, but with little or no interactivity. Consider a small company that specializes in restoring old, collectible books that are damaged.
The company's website describes its services and has a secure contact form, but takes orders over the phone or at a single storefront. This company probably doesn't store the type of information that attackers seek most often and doesn't draw attention for political or social reasons, and does not need to pay for a threat intelligence service.
However, maintaining a low profile doesn't protect internal computers that are Internet-connected from viruses, random scanning attacks and other threats, so a firewall, antimalware software and occasional full system security scans are still necessary. Remember, cybercriminals go for the low-hanging fruit whenever possible. Small businesses are often easier to hack than larger ones, which makes them susceptible to attacks whenever a vulnerability is exposed.
Threat intelligence scenario #2: Organizations with moderate to high exposure
An organization that sells products or services over the Internet (e-commerce), handles intellectual property (IP), is very large or well-known, has multiple levels of suppliers, has an active social media presence, and/or engages in political or social activities that are considered offensive by other governments or social groups are prime targets for attack. These organizations cannot risk their customer's data or IP, and may be in a regulated industry that requires stringent security processes to protect the privacy of information.
This type of organization could use predictive threat intelligence to determine which malicious Internet Protocol addresses, URLs and Internet-available applications could harm the business and put appropriate countermeasures or risk mitigation strategies in place. It could also use threat intelligence to understand which vulnerabilities are most often exploited and to identify emerging malware that targets organizations of this type.
At the upper, more expensive end of threat intelligence, a service could work with an organization's own security operations center (SOC) to respond to advanced threats and analyze its perimeter network and defenses to thwart a distributed denial-of-service attack, or assist in the forensics of security breach.
What threat intelligent service is right for you?
Small, at-risk organizations may have difficulty finding a cost-effective threat intelligence service that's adequately comprehensive to achieve a return on investment. Many moderate-exposure and nearly all high-exposure organizations would benefit from threat intelligence, however.
Once an organization has determined if it is a candidate for a threat intelligence service, the next order of action is to select the service that provides the best fit for its needs. The next article in this series presents the criteria decision makers should use to compare and contrast threat intelligence services when deciding which one is the best fit for its IT security profile.