#Privacy: Threat intelligence – using data against cyber-attacks

Small businesses in the UK are facing 10,000 cyberattacks every day, with the annual cost of the attacks estimated at £4.5 billion, and the average cost of an individual attack around £1,300.

Perhaps surprisingly, despite these figures, cybercrime protection is often a secondary business priority. One data-driven security tool in particular, threat intelligence is under-rated by SMEs, with even those using it often not maximising the technology.

The threat intelligence market is growing fast – valued at £3.7 billion in 2018, it is expected to reach £9.7 billion by 2024, with a CAGR of 17.5%. The drivers behind this explosive growth are the increasing number and variety of attack techniques, and the rise in volumes of data generated by different enterprises.

Against this backdrop, small businesses are often identified by hackers as a low-hanging route to more lucrative targets. Prime targets for attack are e-commerce businesses, financial services companies and brands that handle intellectual property (IP) or have multiple levels of suppliers. Often in regulated industries, these organisations are already implementing some level of security procedures to protect their customer’s data or IP.

With an ever-rising tide of threats, vulnerabilities, malware and offensive, evolving attack strategies make for almost immediate data overload. Combined with that, an intense barrage of false positives and genuine alerts from internal sources from firewalls and anti-virus endpoint protection to patch management tools mean security departments of all sizes are crying out for something to help them stay on top of the threat landscape.

Threat intelligence offers prioritised and actionable information

Busy IT and security teams can often be overwhelmed, but this is where threat intelligence comes into its own. Threat intelligence brings together vast swathes of information and turns that into actionable, targeted data. In its simplest terms, threat intelligence can help businesses identify:

·         Attacker profile

·         Reasons for attack

·         Target of attack

·         Tools and techniques used

·         Steps to mitigate the attack

The most common cyber threats are ransomware, malware (viruses, worms, Trojan horses, rootkits, etc) botnets and zero-day vulnerabilities, which encompass any malware or exploit that hasn’t had a fix developed or distributed yet.

In spite of these threats evolving, IT and security teams using threat intelligence have a more manageable proactive security approach as they are able to make decisions and take faster action, reducing the likelihood of being affected by an attacker.

Threat intelligence categories

Threat intelligence data fall into three broad categories: historic, current and predictive. Historic threat-based data can be extrapolated into the present. Current, situational intelligence provides insight into incidents and events as they unfold across the globe. Predictive or ‘estimative intelligence’ can be used to gain insight into future patterns, enabling proactive adjustment to defences.

Not just a purely technical exercise for analysts and cybersecurity professionals, threat intelligence is also beneficial for high-level decision making, ensuring that the data delivers maximum value for the business. Take Business Risk Intelligence (BRI) as an example. BRI is often considered the more strategic and cross-functional counterpart to cyber threat intelligence as it broadens the latter’s applicability beyond cyber to inform decision-making, improves preparation and mitigates a broad spectrum of both cyber and physical risks.

Pitfalls of threat intelligence

There is still widespread misunderstanding of the mechanics that render threat intelligence’s data useful and actionable. A SANS Institute 2019 survey found that despite the majority of businesses (72%) using or outsourcing threat intelligence, formal documentation processes are not as well established so security teams may not be clear about what information they are looking for.

Only 30% of the survey’s responding organisations had documented their threat intelligence requirements and a significant 37% only had ad hoc provisions, which left 33% with no defined documentation in place at all.

Information on what is normal and relevant, and the context of the information, as well as how to turn that into enforcement changes is vital. IT teams are essential in providing training sets of data and also defining, and recommending, which key features to classify them with.

How to drive actionable intelligence 

Having the correct data and business policies, and procedures, in place is vital for driving threat intelligence. Unless a mature security posture is already established (in terms of best practice, patching, etc) within an organisation, then layering in threat intelligence will just be an added distraction rather than a valuable resource. Company security functions should also put in the groundwork before switching on an intelligent provisioning service, such as clearly defining goals and the overall purpose of the service in advance.

Most enterprises opt for some level of outsourcing model to deliver usable threat intelligence, which offers a number of benefits. Organisations struggling with a skills shortage or a large volume of information can benefit from threat intelligence, as teams possess the information to better defend against cyberattacks before they enter the network.

Alleviating pressure for internal resources is simply, using an upstream filter for multiple sources of data from a security firm. For our SME clients, we offer Kaspersky threat intelligence. By integrating up-to-the-minute threat intelligence feeds containing information on suspicious and dangerous IPs, URLs and file hashes into existing security controls, like SIEM systems, security teams can automate the initial alert triage process.

At the same time, they can provide their triage specialists with enough context to immediately identify alerts that need to be investigated or escalated to Incident Response (IR) teams for further investigation and response.

The outsourcing model also enables external experts to produce actionable insights that target the business vertical and setup precisely. CyberGuard Technologies’ Unit 12 threat intelligence team, for example, focuses specifically on UK SME threats, analysing attacks from an entire network of customers and providing region-specific data.

This is more usable than a globalised snapshot of generic threat profiles and, over the past month alone, we Recently, we alerted our customers to a Microsoft vulnerability, BlueKeep, which was deemed so serious that Microsoft decided to issue patches for operating systems they no longer supported.

We also shared the FBI’s warning that too many web users view the padlock symbol and the ‘S’ after HTTP as a guarantee that a site is trustworthy. The alert also notes that phishing attackers imitating trustworthy companies or email contacts incorporate website certificates (third-party verification that a site is secure) when sending potential victims’ emails. Using tailored intelligence such as this helps bolster security defences by maximising a company’s knowledge and investment in people, systems and products.

Threat intelligence is no longer just for the largest enterprises. Via managed service providers, it is a cost-effective and actionable tool for SMEs, whether a 100-person legal firm or a 500 strong insurance broker, which is why demand is booming. As a practical defence against the ever-evolving threat profile all businesses face today, it is the closest to the fabled ‘magic bullet’ solution that exists – knowledge is truly power.

By Paul Colwell, technical director, CyberGuard Technologies

Technical director, CyberGuard Technologies, Paul Colwell has over 10 years’ experience seeking ways to exploit technology to deliver real benefits for business. Working closely with the leading technology brands including; HP, Microsoft, Kaspersky, WatchGuard, AlienVault, Carbon Black and VMware, he has been instrumental in positioning CyberGuard at the forefront of the technology industry.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/