Arguably one of the most important aspects of cybersecurity is Threat Intelligence. Yet despite its importance, this particular discipline as part of a solid security posture is often underestimated in terms of importance.
The consulting company, Forrester, defines threat intelligence as the details of the motivations, intent and capabilities of internal and external threat actors. Forrester extends their definition of Threat Intelligence to include specifics on the tactics, techniques and procedures that hackers and Advanced Persistent Threats employ within their attacks. - Threat Intelligence Buyer’s Guide SANS CTI Summit, 10 February 2014.
At Lockheed Martin, we value Threat intelligence's primary purpose, which is to help the business better understand the risks and implications associated with threats in order to make better decisions regarding the safety of its customer, employees and intellectual property.
We also believe that by understanding the attributes of an APT, an organization can better build a proactive Security Operations Center (SOC). By proactivity we refer moving a SOC from a “set-it and forget-it mode” governed by reacting to threats to a predictive and agile infrastructure. This migration goes beyond blocking domains to using databases and intelligence gathered over years to understand attackers’ patterns of behavior. How do your attackers grow and change over time? What common tools do they use? What techniques do your attackers always employ after entering a network? An example of understanding the minutia concerning APT behavior includes knowing whether they send emails with a zip file on the bottom, or always start emails with “Dear Sir or Madam.” Do they always misspell a certain word or are they always asking for the same specific piece of information? Such intelligence makes future threats more identifiable and quickly categorized.
According to Forester and Lockheed Martin’s understanding of Threat Intelligence, another important aspect of this intelligence driven discipline is the sharing and collaboration of intelligence. Standardization within cybersecurity is a major challenge. The cybersecurity industry has reached a level where the sharing of information is readily available, however the struggle is now to determine and agree upon a set of standards as it relates to how we classify, validate and communicate intelligence.
In an ideal setting, the aggregation of valuable intelligence is filtered into a common set of standards and common nomenclatures, and fed to a group of trusted partners and sources.
With Threat Intelligence and Threat Intelligence sharing as core competencies, your organization can employ a centralized platform with Palisade®, which integrates into your present security infrastructures to deliver enterprise-wide visibility, awareness and alerting capability.
By focusing on Threat Intelligence and the collaboration behind such activities, your organization can go a long way to building a solid security posture where intelligence and actionable data is at the core of a proactive defense.
Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform