Would your business benefit from threat intelligence?
In April 2019, it was announced that GCHQ would share threat intelligence information with cloud and managed security providers. This step means that these cyber security providers can take a precautionary approach so that they can block large phishing and malware attacks. This comes after the NCSC was established in 2016 and, since then, the UK hosted share of global phishing has fallen below 2%.
This sharing mentality will enable a wide range of industries to take a prevention rather than cure approach when it comes to cyber threats and data breaches. A recent survey of US security IT decision makers found that 94% would be willing to share threat intelligence information within the industry, if it would help them improve their ability to discover threats. Alongside this, 92% of respondents stated that they would increase threat sharing with the government, so that the government could use political, economic, cyber, or other national-level capabilities to dissuade cyber-attacks .
Why do you need threat intelligence?
Threat intelligence is data or information that businesses use in order to understand existing and potential threats that are targeting organisations. With this information, they are able to identify, prepare and put preventative measures in place, all while taking advantage of any valuable resources.
As technology advances, cyber threats also proliferate. For example, in 2005, there were 123 new strands of malware found every day - 10,000 of which were new strains. 11 years later, research has shown that four new strands of malicious malware were discovered every second during Q3 of 2016 .
Cyber threats pose massive risks to any organisation, and not just within the IT department. From experiencing downtime to sensitive information being compromised, this can lead to a loss of revenue, high customer attrition and brand damage. A recent survey from Microsoft found that a data breach costs a business an average of £2.9 million. Once the average business has suffered this catastrophic financial blow, it makes it near enough impossible to continue business as usual.
However, while cyber security products act as a barrier of defence and take a proactive approach to your business’ cyber strategy, it cannot protect you against every single threat. This means you need to know where to look, which is what cyber threat intelligence can do. When done properly, cyber threat intelligence measures valuable data, analysing and disseminating this information in order to help you to make smarter business decisions. This essential data helps to highlight any potential attacks that may be critical, which means that you can update your protection measures accordingly. Through the early detection and investigation of these incidents, you’re then able to determine the intent of the cyber criminals.
There are certain industries, such as banks, that hold particularly valuable data, and are therefore at a higher risk of being subject to a data leak or exploit. In 2017, Santander, RBS, HSBC, Tesco Bank, Clydesdale and Yorkshire Banking Group, and Barclays were all victims of a DDOS attack, forcing them to either reduce their operations or shut down their entire system, thus putting them into downtime. The National Crime Agency (NCA) stated that this cyber attack had cost the banks thousands of pounds. Cyber criminals launched a DDOS attack from the website Webstresser (that costs as little as £11 per month to use), and were able to flood their sites with alarmingly high volumes of traffic, giving them access to sensitive customer information.
Earlier this year, the European Union Agency for Law Enforcement Cooperation, Europol, announced that “actions are currently underway worldwide to track down the users” of the former DDoS marketplace, Webstresser.org, that was shut down in April 2018 as part of Operation Power Off, and the site administrators were arrested.
The site had over 136,000 registered users, and there were 4 million attacks measured by April 2018. Had intelligence information about this site been shared with industries that were at risk of a cyber attack, they may have been able to put preventative measures in place and prevent this attack.
How does cyber threat intelligence work?
Cyber threat intelligence works alongside the Incident Response process within cyber security software, thus helping to reduce organisational risk. Threat intelligence supports the security operations centre (SOC) and gives input to fulfill requests for information (RFIs) that are on the management board across departments. It’s important to remember that threat intelligence isn’t new - this process has been utilised throughout history, via many different methods. We’ve named a few below.
Open-source intelligence (OSINT)
Open-source intelligence is a form of threat intelligence that collects information from publicly available sources, such as news sites, social media platforms and public reports. Thanks to the sudden growth of instant communication, more data is available. This form of intelligence looks at patterns in conversation and specific signals.
Financial intelligence (FININT)
Financial intelligence collates sensitive data about the financial capabilities or motivation of cyber attackers. This method is usually used to detect any suspicious transactions in the context of law enforcement.
Tech intelligence (TECHINT)
Tech Intelligence is a form of threat intelligence that assesses the material and opponents of equipments. From this data, businesses can then make smarter decisions and put protective measures in place to keep their equipment secure.
Cyber intelligence (CYBINT)
Cyber intelligence looks at the collection of data across a variety of intelligence-collection disciplines.
Midlands-based CyberGuard utilise two strands of threat intelligence data. Firstly, this consists of information from existing CyberGuard customers, gathered by their own Unit 12 intelligence team, and focussed on SMEs in the UK. Secondly, global intelligence data is provided through Kaspersky Lab, due to a unique agreement with CyberGuard to deliver this service in the UK.
Through working with Kaspersky, CyberGuard can provide global threat data from hundreds of different sources, utilising a combination of machine learning and artificial intelligence. As Paul Colwell, Technical Director at CyberGuard, notes: “Kaspersky provide us with threat data to enhance our own intelligence team, Unit 12, who gather information for our customers on cyber-attacks. This data is then analysed thoroughly to allow us to make fully informed strategic decisions regarding cyber-threats so we are able to detect future attacks. By working with Kaspersky threat intel, we can not only help protect small to mid-sized businesses in the UK but large enterprise companies that may be targeted by advanced threat actors.”
Ultimately, gathering threat intelligence gives you insight into potential cyber attackers; who they are, their rationale, the data they are looking for, and the technologies they are using. All this helps your IT and security team to mitigate against these attacks, providing crucial information, reducing the time of discovery and enabling a proactive - rather than reactive - approach to cyber security.