Relying on Actionable Intelligence to Thwart Emerging Cyber Threats

By Gene Yoo, Chief Executive Officer, Resecurity

Cyberspace has long been an incubator from which security threats arise, but more and more, it is the incubator. And the conduit. And the arena in which security battles are fought. And it’s no longer merely the domain of hacktivists and cybercriminals. Increasingly, the actors are state-sponsored, and the tools and tradecraft in use are increasingly sophisticated. After land, sea, air, and space, cyberspace has become the fifth domain of warfare.

For all these reasons, cybersecurity has become much more important — and much more challenging — than ever, and no organization, public, private or governmental, is too small or too large to be immune from attack. Here’s what we’re up against:

  • The Dark Web: The rapidly growing dark web is an ecosystem where threat actors collaborate, exchange and monetize stolen data. It’s a place where threat actors offer cybercriminal services and products, including new tradecraft for cyberespionage campaigns and targeted attacks against enterprises and governments. It’s also a valuable source of data for nation-states actors, who use it as a resource for recruiting other cybercriminals and acquiring new tradecraft for further attacks.
  • A Multitude of Motives: Cybercriminals seek opportunities to enrich themselves or their organizations. Hacktivists launch attacks both to further geopolitical goals and because they enjoy disruption. Government intelligence services or their mercenaries conduct cyber espionage and cyber offensive operations on behalf of the states they serve.
  • Evolving Tradecraft: Increasingly, the tradecraft ranges from the simple to the most sophisticated. Hacktivists and cybercriminals routinely rely on a range of modified tools acquired on the dark web while nation-state actors and their proxies may use unique, highly advanced tools, including zero-day vulnerabilities and sophisticated implants that can deliver a malicious payload without being detected.
  • Accelerating Change: With new actors and new tradecraft continuously emerging, the threat landscape is changing faster than ever. Even the targets and goals are evolving rapidly: Threat actors are attacking targets of all sizes — to extort money, to steal intellectual property, to penetrate into the supply chain, to cripple critical operations, even to exert leverage by threatening the target’s customers.

An Intelligence-Driven Approach to Cybersecurity

In the face of a highly dynamic threat environment, all organizations — in the public, private and governmental sectors — require a new approach to cybersecurity. We can combat the threats from cyberspace, but doing so requires a more holistic and integrated response than we’ve seen in the past. Two elements that have been missing include timely, high-quality cyber threat intelligence and the ability to transform that intelligence — rapidly — into a stronger defensive posture.

Human, Contextualized Intelligence

Why start with threat intelligence? Because good threat intelligence is the key to helping an enterprise minimize its risk profile. Too much of what passes for threat intelligence today is misleading and speculative. Good threat intelligence goes beyond the raw data that has been culled by machines, even those using well-designed AI tools. Good threat intelligence has been analyzed, validated and contextualized by human intelligence professionals and threat hunting teams. The synergy between operatively sourced high-quality intelligence with experienced security researchers enables an organization to establish proper protection and mitigation measures.

Good threat intelligence will include technical, tactical and strategic intelligence that provides leadership with finished information to facilitate decision-making and mitigate risk. Technical threat intelligence includes everything from indicators of compromise (IOCs) and indicators of attack (IOAs) to details on the latest tools, techniques, and processes (TTPs). Tactical intelligence includes threat actor attribution, tradecraft use details, and more. Strategic intelligence includes information of unique relevance to an individual organization’s industry, geography, and digital footprint. Each type of intelligence must be contextualized and actionable, as the time-to-live for some indicators is very short, though they still may be valuable for threat identification. Good threat intelligence will also include input from domain experts, who can take into account an organization’s geographies of operation, unique threat landscape, and operational profile. Domain experts can make threat intelligence targeted, relevant and actionable for the organization consuming this intelligence.

With quality threat intelligence, security professionals can connect the dots between seemingly disparate artifacts and visualize a coherent picture of the true threat landscape. That’s a critical advance because it’s easier to thwart the attack you know is coming than to respond after the attack is already underway.

Operationalized Intelligence

The second element that 21st-century organizations will require is a way to work with the threat intelligence — on technical, tactical and strategic levels. The age of “threat feeds” has passed. The information they provided lacked context and quality, as anyone who tried to work with them quickly discovered. The age of isolated endpoint agents and legacy anti-virus applications has also passed. Focusing only on endpoint protection misses vital areas of vulnerability.

We need to view the enterprise as an ecosystem, one that changes dynamically and grows rapidly. That ecosystem needs an integrated, enterprise-wide platform of security tools that can ingest good threat intelligence and then operationalize that intelligence properly throughout that ecosystem — including an organization’s endpoints, networks, clouds, IoT devices, supply chains and more. This would enable the organization to protect its people, data and processes — even its brand and reputation — from any emerging cyber threat.

Stealing the Fight from the Bad Guys

Cybercriminals, nation-state agents and other threat actors will continue to appear at an accelerating rate. New and updated tradecraft will continue to find its way into the markets of the dark web. If we accept these realities and do nothing but a hope that our existing technological defenses will hold, we increase the likelihood that those who would attack us will eventually land a blow — one that could be catastrophic.

High-quality threat intelligence, though, can help us stay ahead of the threats, give us advanced insight about what threat actors are doing, and learn what tradecraft is gaining traction in the dark web. When we have a mechanism enabling us to operationalize that intelligence throughout the enterprise, we can adjust our defenses to provide optimal protection the moment we have insight into what could be coming.

In short, we steal the fight from the bad guys. That’s going to be the best way to ensure security going forward. We need to be proactive. We need access to high-quality, human-vetted threat intelligence. We need to be able to transform that intelligence into real and meaningful action. We’ll never be fully immune to attacks emanating from cyberspace, but we can be very well prepared when they arrive.

About the Author

Gene Yoo is CEO at Resecurity, which provides endpoint protection, risk management, and threat intelligence for large enterprises and government agencies worldwide. He has more than 25 years of experience in cybersecurity for some of the world’s largest brand names, such as Warner Bros., Sony, Computer Science Corporation, Coca-Cola Enterprise, Capgemini, and Symantec. Most recently, he served as senior vice president and head of information security for Los Angeles-based City National Bank. He also served in an advisory role to Phantom (acquired by Splunk), ProtectWise (acquired by Verizon), Elastica (acquired by Blue Coat), and Vorstack (acquired by ServiceNow).

For more information on Resecurity, please visit www.resecurity.com; follow the company blog at https://resecurity.com/blog/ and on LinkedIn and Twitter.