Better organised but less opaque cyber crime
There have never been as many cyberattacks as in recent months: SONY, TV5 Monde, Vtech, and others. No structure has been spared nor will be spared in coming years, or even in coming months.
Whether for the theft of strategic data (cyber spying) or personal data (organised cybercrime), organisations are powerless against hackers who use increasingly targeted tricks and methods. And despite major investments (and they are still growing) in protection solutions, organisations are no match for attackers who can do just about anything to evolve their intrusion techniques and learn more and more about their targets. A real imbalance has formed between organisations and attackers, granting the latter a technological and organisational head start, allowing them to adapt their attack methods to increase their damaging effect.
Costing close to 440 billion dollars each year (1), cybercrime is a flourishing industry increasingly structured around markets where anything can be bought and sold. While a few years ago, cyber criminals became more professional in how they conducted their attacks (coordination, communication, etc.), today we're seeing a vertical model by sector or type of attack. This vertical model implies recurring and easily identifiable modus operandi in the methodologies they use. What may appear to be a growing danger/threat is actually an opportunity that could help reduce the imbalance between attackers and their targets thanks to threat intelligence.
Threat intelligence to rebalance forces
The concept of 'threat intelligence' made its first appearance about two years ago. It copies the organisation of intelligence agencies addressing asymmetrical dangers that may threaten national security. According to Gartner, threat intelligence is "evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
Threat intelligence distinguishes between the concepts of information and intelligence. The information delivered today by so-called threat intelligence solutions represents a volume of unfiltered data that is unevaluated and collected indiscriminately and that cannot be used, that is, it cannot be the focus of an effective action plan. Moreover, because it has not been verified, it may actually be false. On the other hand, intelligence provided by true/pure threat intelligence tools is contextualised, collected via reliable sources, verified and cross checked by experts (to avoid false positives) and can be used to predict attacks.
If we combine threat intelligence and the evolution of cyber criminals, it becomes possible to identify their modus operandi (e.g. determine how such-and-such a group coordinates its attacks: who are its preferred social engineering targets, and how does it address them? What path does it take to reach its objectives? ) and set up actions that are appropriate to the threats, such as an awareness campaign for social engineering.
Another example based on this vertical model: by using intelligence applied to the banking sector, a bank can anticipate attacks and raise its protections, efficiently allocating resources to prevent future attacks.
It's clear, the main objective of this method is to react efficiency and put CISO teams in defence mode by informing them of the modus operandi used by hackers, so they can dynamically adapt their defence tactics. We also note that threat intelligence helps company management better understand CISO issues.
Far from being a marketing concept, threat intelligence aims to reshuffle the cards by providing companies and organisations the trump card to minimise the impact of cyberattacks on their activities. Again, according to Gartner, in 2018, close to 60% of companies will use threat intelligence to define their strategy.
The major principles of threat intelligence
Intelligence on computer threats is organised in layers which correspond to different needs:
- Operational (or technical) intelligence: this is attack-related technical data that could affect a specific company: malware targeting the company and its clients, compromised IPs, specific vulnerabilities, concealed information, etc. In using this data, companies can see the weak signs of a past or imminent attack in order to block or detect it quickly.
- Tactical intelligence: The goal of this type of intelligence is to provide ISS teams six-month methodological forecasts, put in the context of their specific sector. This intelligence is very finely qualified by specialised analysts. It then helps the organisation prepare to position its troops against coming threats.
- Strategic intelligence: This form of intelligence is always fed by human analysis and prospects, helping companies predict security's impact on their business activities: establishment in a risky country, impact on the launch of a new offer, etc.
It must be noted that more and more companies and ISS players have already begun in-depth transformations in order to integrate this data in their organisations. By subscribing to intelligence flows, hiring "undercover agents" to watch cybercrime forums or multi-lingual analysts, companies can take advantage of all available data to restore a balance between them and their attackers.
Many analysts and players think that threat intelligence will become the most effective weapon against cyber threats. However, it is still essential to find the right provider, who can provide context-based intelligence that lets the company establish effective actions.
(1) Rapport Symantec 2014