Moving from Threat Intelligence Consumer to Producer
Most organizations are threat intelligence consumers, purchasing or collecting publicly available information about current cybersecurity threats. In this article, we discuss the value of becoming a threat intelligence producer and how an organization can do so with minimal in-house cybersecurity resources.
What is Threat Intelligence?
Threat intelligence is a term generally used to mean “any useful information for detecting and protecting against cyberattacks”. Examples include knowledge of the IP addresses used by certain malware families for command and control, information about an adversary’s tools, techniques, and procedures (TTPs); or any information that is useful in identifying the existence of a threat on the network. Several organizations specialize in producing and selling threat intelligence to other companies that want the ability to identify and protect against threats on their network but do not want to spend the resources necessary to generate intelligence on their own.
How is Threat Intelligence Produced?
Threat intelligence can be created in a variety of ways. Many organizations have proprietary means for collecting and analyzing data to create intelligence for purchase. Some common ways of producing intelligence include digital forensic and malware analysis, network analysis, and data aggregation and analysis.
Digital Forensics and Malware Analysis
One of the primary sources of threat intelligence is digital forensic and malware analysis. Some organizations deliberately set up insecure computers (called honeypots) in ways that increase the probability that they will be infected by malware. Once the honeypots have collected malware samples, the team analyzes the malware to extract useful information.
A less active approach taken by many organizations is to analyze any malware that infects their production systems. In many cases, this is a necessary part of ensuring that the infection has been completely eradicated. The process of collecting threat intelligence from collected samples is an integral part of securing the network after the attack.
Not all attacks use malware, or use malware that never manages to infect endpoint systems. This can be because it is caught by the organization’s cyber defenses or is designed to infect a different type of system than the target endpoint. Alternatively, the attack may be malware-based but the organization is unable to capture a sample for analysis due to built-in cleanup functionality in the malware or the need to get the endpoints operational as quickly as possible to minimize downtime.
In these situations, network analysis can be a valuable source of threat intelligence. By analyzing network logs, an organization can potentially identify malware traffic. This traffic can provide a wealth of information about infection vectors and malicious IPs and domains without ever requiring anyone to look at the malware itself. This intelligence is valuable for improving antivirus signatures and collecting intelligence regarding a threat actor who may be specifically targeting the organization.
Data Aggregation and Analysis
In the world of threat intelligence, the identification of trends and anomalies is a major goal. Any information about how a threat actor operates or any change in their traditional TTPs can be vital to protecting organizations against cyber attacks.
The data collected via digital forensics, malware analysis, network analysis, public information, and any other data sources (alerts, logs, etc.) is commonly aggregated and analyzed to look for anything that may be of interest or value. The results of this analysis are then distilled into specific intelligence and provided to the producer’s clients and customers.
Becoming a Threat Intelligence Producer
Most organizations are threat intelligence consumers, not producers. Without a team of trained cybersecurity professionals, it is difficult to collect and analyze the volume of data necessary to become a player in the space and make selling intelligence a useful part of the organizational business model.
However, the generation of small-scale threat intelligence can greatly improve an organization’s cybersecurity. If a threat actor is specifically targeting an organization, publicly available threat intelligence may be of little or no value to identifying and containing the threat. By collecting, aggregating, and analyzing data about the threats that it personally encounters, an organization can generate threat intelligence that is valuable to their own cybersecurity and potentially has a wider applicability as well (i.e. if the organization is the first to recognize a threat specifically focused on their industry or a subset of it).
To become a threat intelligence producer, an organization simply needs to collect any data that is readily available and perform some level of analysis of it. Without performing in-depth analysis of malware, it’s possible to identify the original programming language, probable language of its developers, etc., which can be helpful in identifying trends in threats that the organization has faced.
Analysis of alerts generated by the organization’s monitoring solutions may reveal traffic that can be linked to specific malware variants, threat actors, etc., which can be helpful in building a map of the types of threats that the organization commonly faces. Combining this with publicly available information can help an organization identify the threats that they are likely to face based upon the attacks that they have already experienced, which can be useful in improving cyber defenses and reducing the probability of a successful attack.
If an organization wants to generate threat intelligence that may be of value to other organizations as well, looking at the similarities and differences between the attacks that the organization has experienced (both successful and not) and the ones that it “should” have experienced (based on external threat intelligence) can be a valuable avenue to pursue. If an organization is experiencing attacks that they “shouldn’t” (based on known adversaries’ TTPs and common targets) or not experiencing ones that they “should”, trying to figure out what makes the organization different can be extremely valuable both to the organization and all threat intelligence producers and consumers.
Why Produce Threat Intelligence?
Many organizations already professionally produce threat intelligence, so it may seem silly to spend the resources to do so when it’s possible just to buy it. The main reason to produce your own threat intelligence is that of scale. Most organizations producing threat intelligence are trying to make it applicable to as many potential customers as possible, so details specific to a certain organization may be glossed over or ignored in favor of larger trends. Also, if an organization is being specifically targeted, external threat intelligence may not be applicable or helpful, so internal creation of threat intelligence may be the only way to ensure organizational security.
Today’s information security program demands a proactive approach that offers transparency. To answer this need, Sword & Shield’s Managed Security Services offers advanced perimeter defense and automated deception services through our 24/7 security operations center.
Request a consultation to learn more.