In a world in which cybercriminals are becoming increasingly stealthy and using increasingly sophisticated techniques, from ransomware to DNS hijacking, it is becoming more difficult, more expensive and less effective for businesses alone to defend themselves against threats.
According to research recently carried out in the US and EMEA by the Ponemon Institute on behalf of Infoblox, more organisations than ever are reaching out to sources including their peers, industry groups, IT vendors and government bodies for threat intelligence data.
This increase could be attributed to the fact that two-thirds of the IT security practitioners surveyed said they now realised that threat intelligence could have prevented or minimised the consequences of a cyber attack or data breach. Despite this exchange and use of threat intelligence, however, the majority of respondents to the survey claimed not to be satisfied with the current quality of the data.
A question of trust
The most important objectives of a successful threat intelligence programme are to enhance an organisation’s overall security posture, improve its incident response and quickly detect attacks. However, less than a third of respondents rated their company’s defence against cyber attacks as highly effective, and only a quarter thought the same about their company’s process of using internal sources such as configuration log activities.
Although IT security practitioners are increasingly satisfied with their ability to obtain threat intelligence, there are still a number of concerns about how the information is obtained; that it’s not timely, for example, or that it’s too complicated to ensure speed and ease of use. Much of this dissatisfaction may be due to the way in which the data is actually sourced.
While two fifths of companies consolidate their threat intelligence data from a number of different sources, most engage in informal peer-to-peer exchange of threat intelligence, rather than taking a more formal approach, such as using a threat intelligence exchange service or joining a consortium. What’s more, a similar number reported using manual methods to consolidate their data, often due to a lack of qualified staff.
Regardless of the approach used, however, around three in five respondents claimed not to trust the sources of intelligence they used. It’s not surprising, therefore, that companies will often use fee-based threat intelligence because they think it’s better quality, that it’s more effective in stopping security incidents, and because they don’t have confidence in free sources.
Trust is an issue when it comes to giving too, as well as receiving. While around three quarters of organisations provide threat intelligence in addition to using data from other sources, around half claim that the potential liability of sharing meant they would only partially participate in a threat intelligence exchange programme. It’s for this reason perhaps, that organisations prefer sharing with a neutral party or a trusted intermediary rather than sharing with organisations directly, indicating the need for a trusted, neutral exchange platform.
Automation and efficiencies
Indicators such as suspicious hostnames, IP addresses and file hashes, threat intelligence will typically be disseminated internally through alerts. However, security personnel in around two thirds of organisations are spending more than 50 hours a week responding to these alerts, when their time could be better spent pro-actively hunting for signs of criminal activity.
Currently, only half of the companies surveyed use automated solutions to investigate threats, with just one in five claiming to use advanced technology such as AI and machine learning. Interestingly, the use of slow manual sharing processes were also cited by over a third of businesses as a reason for not participating in the exchange of threat intelligence information.
The most important objective of an organisation’s threat intelligence activities is to quickly detect attacks and improve incident response. For the intelligence to be actionable it needs to be received in a timely manager, immediately prioritising the threats contained. However, as shown above, a large number of organisations are not satisfied with the timeliness of the intelligence, believing that it becomes stale within a matter of minutes.
With so many inefficient manual processes in place both in compiling and responding to threat intelligence, it’s clearly time for businesses to embrace more automation or, at the very least, consider a hybrid approach.
A threat intelligence provider is only ever as good as the information it provides, of course. Just over two fifths of businesses will use their threat intelligence programme to define and rank levels of risk of not being able to prevent or mitigate threats using indicators based on uncertainty about the intelligence’s accuracy, and an overall decline in the quality of the provider’s services. A similar number will evaluate the quality of a threat intelligence provider and the information it delivers based on its ability to prioritise threat intelligence and deliver it in a timely manner.
A similar number again will evaluate the threat intelligence itself using a risk score based on factors including whether it is actionable, confidence in its source, and the veracity of the threat indicator and the indicator type. More than anything, the survey reveals a real need for actionable, timely and effective threat intelligence sharing. What’s more, many respondents to the survey said their organisations are using threat intelligence in a non-security platform, such as DNS, indicating that we’re now seeing a blurring of lines between what are considered security tools and what are considered pure networking tools. Securing today’s networks means using threat intelligence for defence-in-depth, plugging all gaps, and covering all products.