The diverse use cases of threat
intelligence make it an essential resource for cross-functional teams in any
organization. Although it’s perhaps the most immediately valuable when it helps
you prevent an attack, threat intelligence is also a useful part of triage,
risk analysis, vulnerability management, and wide-scope decision making.
Incident Response
Security analysts in charge of incident response report some of the highest levels of
stress in the industry, and it’s no wonder why — the rate of cyber incidents
has steadily climbed over the last two decades, and a high proportion of daily
alerts turn out to false positives. When dealing with real incidents, analysts
must often spend time painstakingly sorting through data manually to assess the
problem.
Threat intelligence reduces the pressure in multiple ways:
· Automatically identifying and
dismissing false positives
· Enriching alerts with real-time
context, like custom risk scores
· Comparing information from internal
and external sources
Recorded Future users identify risks 10 times faster than they did before
integrating threat intelligence into their security solutions, giving them days
more time on average to respond to threats in an industry where even seconds
can matter.
Security
Operations
Most security operations center (SOC) teams must deal with
huge volumes of alerts generated by the networks they monitor. Triaging these
alerts takes too long, and many are never investigated at all. “Alert fatigue”
leads analysts to take alerts less seriously than they should. Threat
intelligence solves many of these problems — helping gather information about
threats more quickly and accurately, filter out false alarms, speed up triage,
and simplify incident analysis. With it, analysts can stop wasting time
pursuing alerts based on:
· Actions that are more likely to be
innocuous rather than malicious
· Attacks that are not relevant to that
enterprise
· Attacks for which defenses and
controls are already in place
As well as accelerating triage, threat intelligence can help SOC teams
simplify incident analysis and containment. Recorded Future users resolve
threats 63 percent faster, cutting the critical hours they spend on remediation
by more than half.
Vulnerability
Management
Effective vulnerability management means shifting from taking a
“patch everything, all the time” approach — one that nobody can realistically
ever achieve — to prioritizing vulnerabilities based on actual risk.
Although the number of vulnerabilities and threats has increased every
year, research shows that most threats target the same, small proportion of
vulnerabilities. Threat actors are also quicker — it now only takes fifteen
days on average between a new vulnerability being announced and an exploit targeting
it appearing.
This has two implications:
· You have two weeks to patch or
remediate your systems against a new exploit. If you can’t patch in that
timeframe, have a plan to mitigate the damage.
· If a new vulnerability is not
exploited within two weeks to three months, it’s unlikely to ever be — patching
it can take lower priority.
Threat intelligence helps you identify the vulnerabilities that pose an
actual risk to your organization, going beyond CVE scoring by combining
internal vulnerability scanning data, external data, and additional context
about the TTPs of threat actors. With Recorded Future, users identify 22
percent more real threats before they have a serious impact.
Risk Analysis
Risk modeling can be a useful way for organizations to
set investment priorities. But many risk models suffer from vague,
non-quantified output that is hastily compiled, based on partial information,
based on unfounded assumptions, or is difficult to take action on.
Threat intelligence provides context that helps risk models make defined
risk measurements and be more transparent about their assumptions, variables,
and outcomes. It can help answer questions such as:
· Which threat actors are using this
attack, and do they target our industry?
· How often has this specific attack
been observed recently by enterprises like ours?
· Is the trend up or down?
· Which vulnerabilities does this
attack exploit, and are those vulnerabilities present in our enterprise?
· What kind of damage, technical and
financial, has this attack caused in enterprises like ours?
Asking the right questions with Recorded Future’s threat intelligence is one of the ways
users see an 86 percent reduction in unplanned downtime — a huge difference
when even a minute of downtime can cost some organizations up to $9,000 in lost
productivity and other damages.
Fraud Prevention
To keep your organization safe, it isn’t enough to only detect and
respond to threats already exploiting your systems. You also need to prevent fraudulent uses of your data or brand.
Threat intelligence gathered from underground criminal communities
provides a window into the motivations, methods, and tactics of threat actors,
especially when this intelligence is correlated with information from the
surface web, including technical feeds and indicators.
Use threat intelligence to prevent:
· Payment fraud — Monitoring sources like criminal communities, paste sites, and
other forums for relevant payment card numbers, bank identifier numbers, or
specific references to financial institutions can provide early warning of
upcoming attacks that might affect your organization.
· Compromised data — Cybercriminals regularly upload massive caches of usernames and
passwords to paste sites and the dark web, or make them available for sale on
underground marketplaces. Monitor these sources with threat intelligence to
watch out for leaked credentials, corporate data, or proprietary code.
· Typosquatting — Get real-time alerts on newly registered phishing and typosquatting
domains to prevent cybercriminals from impersonating your brand and defrauding
unsuspecting users.
By avoiding more breaches with threat intelligence, Recorded Future users
are able to save over $1 million per potential breach through damaging fines, penalties,
and lost consumer trust.
Security
Leadership
CISOs and other security leaders must manage risk by balancing limited
available resources against the need to secure their organizations from
ever-evolving threats. Threat intelligence can help map the threat landscape,
calculate risk, and give security personnel the intelligence and context to
make better, faster decisions.
Today, security leaders must:
· Assess business and technical risks,
including emerging threats and “known unknowns” that might impact the business
· Identify the right strategies and
technologies to mitigate the risks
· Communicate the nature of the risks
to top management, and justify investments in defensive measures
Threat intelligence can be a critical resource for all these activities,
providing information on general trends, such as:
· Which types of attacks are becoming
more (or less) frequent
· Which types of attacks are most
costly to the victims
· What new kinds of threat actors are
coming forward, and the assets and enterprises they are targeting
· The security practices and
technologies that have proven the most (or least) successful in stopping or
mitigating these attacks
It can also enable security groups to assess whether an emerging threat
is likely to affect their specific enterprise based on factors such as:
· Industry — Is the threat affecting other businesses in our vertical?
· Technology — Does the threat involve compromising software, hardware, or other
technologies used in our enterprise?
· Geography — Does the threat target facilities in regions where we have
operations?
· Attack method — Have methods used in the attack, including social engineering and
technical methods, been used successfully against our company or similar ones?
With these types of intelligence, gathered from a broad set of external
data sources, security decision makers gain a holistic view of the cyber risk
landscape and the greatest risks to their enterprise.
Here are four key areas where threat intelligence helps security leaders
make decisions:
· Mitigation — Threat intelligence helps security leaders prioritize the
vulnerabilities and weaknesses that threat actors are most likely to target,
giving context on the TTPs those threat actors use, and therefore the
weaknesses they tend to exploit.
· Communication — CISOs are often challenged by the need to describe threats and
justify countermeasures in terms that will motivate non-technical business
leaders, such as cost, impact on customers, new technologies. Threat
intelligence provides powerful ammunition for these discussions, such as the
impact of similar cyber attacks on companies of the same size in other industries or
trends and intelligence from the dark web indicating that the enterprise is
likely to be targeted.
· Supporting leaders — Threat intelligence can provide security leaders with a real-time
picture of the latest threats, trends, and events, helping security leaders
respond to a threat or communicate the potential impact of a new threat type to
business leaders and board members in a timely and efficient manner.
· The security skills gap — CISOs must make sure the IT organization has the human resources
to carry out its mission. But cybersecurity’s skills shortage means existing
security staff frequently cope with unmanageable workloads. Threat intelligence
automates some of the most labor-intensive tasks, rapidly collecting data and
correlating context from multiple intelligence sources, prioritizing risks, and
reducing unnecessary alerts. Powerful threat intelligence also helps junior
personnel quickly “upskill” and perform above their experience level.
