Threat intelligence: a key brick in your cyberdefense

Our connected world’s expanding threat vector makes it impossible for organizations to defend against every exploit. Threat intelligence can enhance security and risk management to construct proactive defenses, prioritize breach alerts and better incident response against increasingly sophisticated attackers.

Organizations are working overtime to assess growing risks, and the threat landscape is changing so fast it is impossible for traditional security technologies to keep up. Accurate threat intelligence allows organizations to pinpoint risks, reduce security incidents and respond quickly if an attack occurs.

Analyst Gartner’s definition of threat intelligence provides a very clear interpretation, characterizing it as “evidence-based knowledge – including context, mechanisms, indicators, implications and action-oriented advice – about an existing or emerging hazard to IT or information assets. It can be used to inform decisions regarding the subject's response to that menace or hazard.”

Interest in threat intelligence and its capabilities is growing. By 2020, 15 percent of large enterprises will use commercial threat intelligence services to inform their security strategies, which is an increase from less than 1 percent in 2018, according to Gartner.

Intelligence strengthens your security posture

In 2018, the Center for Strategic and International Studies (CSIS) estimated the cost of global cybercrime as $600 billion, with no signs of slowing down. It attributes this growth to quick adoption of new technologies by cybercriminals, the growth of cybercrime-as-a-service, weaker adoption of cybersecurity in lower-income countries and an expanding number of “cybercrime centers” in locations such as Brazil, India, North Korea and Vietnam.

Monetization among cybercriminals has also become easier, thanks to growing black markets in the dark and deep web and the use of digital currencies. At the same time, cybercrime is operating at a huge scale with the FBI estimating that more than 4,000 ransomware attacks occur daily.

Over a decade ago, weekly anti-virus updates were seen as sufficient. Now, even if you do it daily, you can be sure that 50 percent of your anti-virus is out of date. Threats are evolving at lightning speed. This means that information you have that said certain IPs, domain names or URLs were malicious two days ago may no longer be relevant, because the cyber attackers have moved on.

This is where threat intelligence comes in; it allows you to determine which threats pose the greatest risk to your organization’s infrastructure, so that you can protect it accordingly.

Threat intelligence tools can also identify if you have suffered a breach by using indicators of compromise (IOC) that determine if any systems have been compromised. The longer malware stays within a system, working away unrecognized, the more damage it can do.

Sieving the intelligence

Collecting intelligence is a massive task. Information comes from a large variety of sources such as news feeds, paid-for services, forums and even human sources on the dark web, in both structured and unstructured formats. As a tier-one telecoms operator, Orange also has first-hand visibility of early attack signals from its global Internet backbone.

One of the core strengths of Orange Cyberdefense is how it works with vendors, governments and other networks to aggregate and share threat intelligence. Orange Cyberdefense exchanges data with Europol, the European Union’s law enforcement agency. It also recently announced its collaboration with Cert NZ, a New Zealand government cybersecurity unit that advises businesses, organizations and individuals affected by cybersecurity incidents.

Orange Cyberdefense is a founding member of the Phishing Initiative, feeding intelligence into its own as well as partner databases in industries such as financial services for example, to enhance the intelligence on phishing attacks, which are on the increase. Orange Cyberdefense, through its Cybercrime branch, actively participates in the verification and closure of fraudulent phishing sites.

The more information you have, the better prepared you can be. But it isn’t an easy task aggregating information from so many sources, and it can easily throw up too many misleading false positives. This means that files or settings, for example, are flagged as malicious when they are not.

It is therefore essential that threat intelligence be aggregated, verified and correlated with information from other sources for analysis. As well as having confidence in the data, trust in the sources is paramount. At Orange Cyberdefense beyond automatic aggregation, our CERT analysts investigate further to ensure threat intelligence integrity and effectiveness. Experts also analyze behavior patterns of a malware to understand how it is evolving. All of this is powered by Orange Cyberdefense’s proprietary correlation engine to qualify and verify threats.

Your security is only as good as your intelligence

In today’s dynamic threat landscape, a threat intelligence base approach can now be complemented with AI, user and entity behavior analytics (UEBA) and machine learning (ML) to identify anomalies that could indicate a zero-day attack.

The better the threat intelligence, the easier it is to anticipate threats and prepare for them. But, ultimately it is impossible to collect and analyze every single bit of data. As with traditional intelligence, threat intelligence is only valuable if it can answer the questions you want answered in the time you have, which is why rigorous planning is essential to exploit its full potential.

Find out the six steps you need to take to get on top of cyber threats.

Sebastian Roncin
Sébastian Roncin

As a product manager at Orange Cyberdefense, I have been leading service development activities related to threat management (anticipation, detection and response) for almost 10 years. I do not describe myself as a security expert, but as a service expert in the field of security.