The security landscape is evolving fast, so it’s crucial to keep pace to protect your organisation.
We asked our Head of Threat Intelligence, George Glass, to share his expert view on the threats that security teams need to be aware of and to tell us what it is he loves about working in the industry.
Can you sum up threat intelligence in a nutshell?
Putting it briefly, threat intelligence involves aggregating and analysing data to help organisations quantify and mitigate cyber security risks.
Instead of just working on the assumption that everything you expose to the internet is going to be exploited, using threat intelligence gives you more situational awareness. It lets you quantify risk much more effectively and also provides the insight needed to better protect against both current and emerging threats.
Organisations can obtain threat intelligence from sources such as online forums and exchanges, industry bodies and social media. I recently presented a webinar in which I provide an overview of the many sources available.
“Instead of just working on the assumption that everything you expose to the internet is going to be exploited, using threat intelligence gives you more situational awareness.”
Who can benefit from threat intelligence?
There’s a commonly held belief that threat intelligence can only be leveraged and consumed by larger organisations, but this simply isn’t true. Every organisation – large or small – can and should use threat intelligence on some level. Threat intelligence is a highly valuable resource for everyone.
What are the advantages for security teams?
One important benefit of threat intelligence for security teams is improved situational awareness. For every specific alert coming in, it’s possible to gain a far greater understanding of the threat and what an actor may try to do if a breach occurs.
Threat intelligence also helps security teams to improve the speed and accuracy of detection by maximising value from deployed technologies.
What do you think are the biggest cyber security threats faced by organisations today?
In my view, the greatest threats are those that have been around for years. Social engineering, ransomware and maldocs are still very prevalent. They’ve just evolved to be able to exploit the latest weaknesses – both in terms of technology and human behaviour.
Since the end of 2019, we’ve seen several high-profile Edge networking vulnerabilities being readily exploited by ransomware gangs. Cybercriminals have quickly changed their tactics from entering organisations via just email phishing attacks to actively searching for and exploiting these types of vulnerabilities – and making an eye-watering amount of money in the process!
Vulnerabilities in Pulse Secure VPN and F5 BIG-IP are a really big ongoing risk factor for organisations too and are extremely serious if they haven’t been patched. This is particularly true given that so many people are still working remotely.
Earlier this year we issued a security advisory warning organisations to be vigilant about the security risks associated with employees returning to the office post COVID-19 lockdown – dormant attackers may be waiting for the perfect opportunity to strike.
Tell us about the biggest challenges you see companies experiencing around threat intelligence
Threat intelligence is often viewed as just a tick in a box by many organisations. They’ll pay a provider and think that they’ve got it covered, without fully understanding the information and the data they’re ingesting, or how to apply it to improve their security outcomes.
That’s why I think it’s extremely important to understand what threats you’re covering and to have good understanding of the data being collected. This may mean collecting a little bit less information rather than simply subscribing to one of the huge feed-based solutions.
One of the most common mistakes companies make is to aggregate a lot of feeds and then plug them directly into SIEM and EDR platforms. This just leads to a huge number of false positives and alert fatigue as security teams don’t have the time to fully analyse and investigate every alert.
In a recent Redscan webinar, I shared a couple of methodologies for collecting, organising, distilling and expressing threat intelligence information. Anyone interested in learning more is welcome to view the recording.
“Threat intelligence is often viewed as just a tick in a box by many organisations. They’ll pay a provider and think that they’ve got it covered, without fully understanding the information and the data they’re ingesting and how to apply it to improve their security outcomes.”
What’s your advice for people interested in a career in threat intelligence?
A very good understanding of the cyber security industry, including an awareness of the different types of threats, is a great place to start. A SOC analyst background is useful for helping to develop detections and understand how threat actors move within systems. I think you have to really want to work in threat intelligence because it can be fairly taxing job in that you have to keep your mind on several different things at once. But it’s also very rewarding at the same time.
Personally, I think working in threat intelligence is the best job in the world and I really enjoy applying what I’ve gathered to help protect organisations. It’s very interesting tracking threats and understanding threat actor movements – especially when they suddenly change their tactics.
As someone who’s worked in this field for quite a while, you know the best resources to use! Tell us about some of your favourites
It’s no secret that I think Twitter is a great source of open source threat intelligence which is pretty much up to the second. A host of extremely knowledgeable security professionals share very valuable data completely free-of-charge.
I’d also recommend taking time to investigate dark net forums to get an idea of how threat actors communicate and the ways they work with each other.
Another good thing to do is to engage with organisations like the National Cyber Security Centre and professional bodies, such as ISACA. These types of organisations share some really great information.
What advice would you give to an organisation just making a start with using threat intelligence sources?
If you’re just starting out with using threat intelligence sources, I’d highly recommend investigating in some tooling to help aggregate feed information. Some of the really good free tools out there include OpenCTI, MISP and MindMeld. Download one or two of those and try them out to get a feel for the type of data that you can get from intelligence feeds.
We’ve covered a lot of ground but there’s clearly a lot more to learn about getting the most out of threat intelligence. Any final remarks?
There’s always a lot going on in the world of threat intelligence. If you’re interested in learning more about it, you can find the recording of our recent threat intelligence webinar on our website. If anyone does have any questions or want some more tips, they’re welcome to follow me on Twitter or to get in touch with me directly via Redscan.