How to fight back against cyberattacks
Wael Jaber, VP, Technology & Services at CyberKnight, on why threat intelligence is crucial in the fight against cybercriminals
Can you please explain what your Unified Threat Intelligence concept is?
CyberKnight’s United Threat Intelligence (UTI) concept has been created to help customers build an effective cyber threat intelligence practice based on methodologies, taken from industry best practices, in addition to the latest technology and services that operate in that space. Adopting the CyberKnight’s UTI solution offering would help our strategic customers to save on efforts, time, and resources to build a very efficient and cost-effective CTI program. The UTI concept caters to many of the threat intelligence requirements within different industry verticals. The solutions we are offering in this UTI bundle consist of EcleticIQ (Threat Intelligence Platform), RiskIQ (Open and Surface Web Intelligence), FlashPoint (Deep and Dark Web Intelligence), CrowdStrike (Adversaries Intelligence), Attivo (Local Intelligence)
What can companies do to make threat intelligence more effective and actionable?
Effective Threat Intelligence is about clearly understanding the business risk an organisation is exposed to, and about reducing the uncertainty when dealing with such risk. Cyber threat intelligence should be selected, collected, and produced very thoughtfully to ensure the quality and efficiency so that an organisation would benefit from it and make it actionable. Actionable and effective threat intelligence should be relevant to and aligned with the corporate business requirements, the strategy of its stakeholders, and the threat profile of the organisation. The threat profile involves knowing the threat landscape and the potential threat actors that are potentially after the organisation. Once a CTI strategy for the corporate is set in place, and the company’s threat profile is defined, the selection and collection of the right type of intelligence feed would be much easier, and the consumption and production are more actionable and efficient.
Too many threat intel feeds can contribute to security information overload. What should users keep in mind while evaluating feeds?
Collecting threat intelligence feeds randomly for the sake of collecting will not do any CTI programme any good. On the contrary, it would aggravate the whole situation and cause additional alert fatigue to TI and SOC Analysts. During the selection process of intelligence feeds, users should carefully study and understand what their business risk is in the first place, and what strategic intelligence they need to collect, that can provide the necessary information and insights to their business leaders and stakeholders, that would help them make better strategic decisions. Next, they need to understand the real threat landscape and trends that target their business, industry, and geographic region and choose the intelligence feed provider that can provide the right operational intelligence, which can help them implement the right security controls to deter such threats. The last thing to consider is to identify the potential types of threat actors that might target their organisation, their origins, their motives, and their techniques, based on which they can select the intelligence provider that focuses on the adversaries that are matching their requirements.
What is the role of automation in threat intelligence?
Automation is a crucial part of any threat intelligence practice, especially in a modern threat landscape, where Security Operation Centers (SOCs) are overloaded with thousands of alerts every day. At the moment, without automation, it’s simply not possible to minimise false alerts and not miss out on anything important.
Automation could be beneficial in assisting the TI analyst in focusing on specific threats or topics and helping reduce the time spent during investigations, and to add context to alarms and incidents an organisation might face. However, automation should not be fully and solely depended on during the discovery, triage, investigation, and production processes of threat intelligence, because a Human hacker can easily fool it. Automation is a powerful tool, but it is not a remedy for modern security postures. Smart attackers need to be met by smart human defenders aided by automation.
Are companies adopting AI/ML for threat intelligence?
Machine learning is being used in many ways within the threat intelligence space. It could range from using ML/AI to help in acquiring the knowledge and intelligence at internet scale similar as to how RiskIQ is using it to crawl the wild web and mimic internet browsing users, or as to how Flashpoint are using it, to extract intelligence out of illicit groups in the deep and dark web which are very tricky to navigate and interact with. ML/AI are also being used in the triaging, curation, and vetting of collected intelligence and this is used by many threat intelligence providers to ensure the relevancy and quality of collected intelligence. For instance, EclecticIQ leverages ML capabilities of its product to help the threat analyst discover, investigate, and produce relevant intelligence. ML/AI are also used, for example, in deceiving threat attackers, by luring them into deceptive decoys that resemble real production environments, after which real-time local intelligence about the active threat actor could be collected is how Attivo Networks use ML/AL. Not to forget the importance of ML and AI in the defense against zero-day and unknown malware types and the importance of gathering intelligence about the techniques used and its attribution to threat actor groups, similarly as to how Crowdstrike uses ML/AI for.
It’s important to note that adversaries are using AI/ML against security defenses, and they use ML/AI to defeat the effectiveness of the ML/AI used at the other side of the spectrum. ML/AI alone is not enough and have to be supervised and trained by an analyst, because now ML/AI does not have the human common sense to reason. Having the analyst available when an AI model “asks for help” is crucial as cyber threats change, especially when they change with the intent to fool the model. Developing a feedback mechanism that provides your model with the ability to identify and surface questionable items is critical to the success of your model.