Threat Intelligence is, very simply, network defense techniques that leverage knowledge (i.e. intelligence and counter intelligence) about adversaries so that organizations can build a superior information base which decreases the chances of an attacker compromising their networks. Gartner more specifically defines it as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to the menace or hazard.”
Vulnerability Defense Tools Reduced Effectiveness
To date, the approach taken by most corporate IT departments has been to focus on the vulnerability aspects of the network with defense tools such as intrusion detection systems and anti-virus software, or the implementation of an incident response plan/methodology which assumes a successful intrusion. However, the progression of a number of inter-connected factors (i.e. the increasing amount of data available, the increasing capacity to store that data, and the increasing value of that data to create synthetic identities, or simply to study business processes or trade secrets) and the development of shared techniques and knowledge among attackers, has greatly reduced the ability of these traditional methods to adequately “defend the perimeter.”
The 2015 Verizon Data Breach Report states that in 60% of cases, attackers are able to compromise an organization within minutes. This statistic would seem to liken intrusion detection systems and anti-virus software to the Maginot Line that give organizations a false sense of security. The average time that adversaries are present on the network (“dwell time”) is 224 days before their intrusion efforts are identified or their presence is recognized, according to recent surveys. Well-armed adversaries achieve their objectives using advanced tools and techniques specifically designed to evade most established network defense processes.
Decrease Successful Attacks with Knowledge Leveraging
Leveraging knowledge about these adversaries can help establish a state of information superiority which decreases the likelihood of a successful attack. This knowledge should include information that is:
- Aggregated from reliable sources and correlated
- Tailored to the environment
- Evaluated and interpreted by experts
- Accurate, timely and actionable
Threat intelligence is a critical component of an organization’s security program and can provide an organization with a global perspective on adversarial intrusion methodology, as opposed to a localized perspective of what is happening on its proprietary network.