This blog is the second of two articles on how to proactively prepare for cyberthreats. In partnership with CrowdStrike, a cybersecurity software company, we’ll talk about how government organizations can improve their security postures to better defend their valuable assets today and tomorrow. Read the first one here.
Government organizations face much more than just a malware problem. In fact, studies indicate that 60% of data breach incidents don’t even involve the use of malware. True next-generation endpoint protection addresses the full range of attacks — known and unknown, malware and malware-free — by combining conventional indicators-of-compromise or IOC-based endpoint protection with indicators of attack (IOA) analysis.
When delivered in real time via a cloud architecture, IOA technology adds contextual and behavioral analysis to detect and prevent attacks that conventional defense-in-depth technologies cannot even see. This innovative approach allows enterprise security professionals to quickly discern the tactics, techniques and procedures (TTPs) used by sophisticated attackers. In this way, they can determine who the adversary is, what they are trying to access and why.
Just like antivirus signatures, an approach based solely on IOC detection cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach pioneered by CrowdStrike.
Applying Actionable Threat Intelligence
Cyber threat intelligence is a key component of effective security. It is critical that public sector organizations have consumable, contextualized intelligence so that they can understand the adversary, learn from attacks and take the right decisive action to improve their overall defenses.
Threat intelligence can be divided into three levels: tactical, operational and strategic.
- Tactical threat intelligence is focused on the immediate future. It is technical in nature and identifies simple IOCs which can be machine-readable. This means that security products can ingest it through feeds or application programming interface (API) integration.
- Operational threat intelligence provides context by understanding and profiling threat actors. Behind every attack is a “who,” “why” and “how.” The “who” is called attribution. The “why” is called motivation or intent. The “how” is made up of the TTPs that the adversary employs. Together, these factors provide context, and context provides insight into how adversaries plan, conduct and sustain campaigns and major operations.
- Strategic threat intelligence shows how global events, foreign policies and other long-term local and international movements can potentially impact the cybersecurity of an organization. Strategic intelligence usually comes in the form of reports.
Whatever the level, threat intelligence can only provide value if it is actionable. Even though more and more organizations see the value of threat intelligence — 72% of organizations plan to increase spending for it (Source: Enterprise Strategy Group) — the current utilization of it remains basic. Beyond simple use cases, such as integrating intelligence feeds to existing security products such as intrusion prevention systems (IPS), firewalls or security information and event management (SIEMs) for IOC detection, most government agencies still struggle with taking full advantage of the information that threat intelligence can provide.
To make smart security-related decisions, organizations need to have proper threat intelligence. That starts with using technical indicators and it matures by developing an understanding of who is attacking, how they’re attacking and why. It culminates in implementing security decisions guided by strategic intelligence. Getting the right level of intelligence and using it effectively can greatly optimize prevention capabilities, shorten threat detection time, accelerate incident response and help teams make better security decisions.
Takeaway: Consumable, contextualized threat intelligence can help agencies implement strategic security decisions by understanding who is attacking, how they’re attacking and why.