Sumo Logic ahead of the pack
Read articleComplete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
May 12, 2021
It's one thing to detect a cyber attack. It's another to know what the attackers are trying to do, which tactics they are using, and what their next move is likely to be.
Without that additional information, it's difficult to defend effectively against an attack. You can't reliably stop an attack if you are unable to put yourself in the mindset of the attackers.
This is why threat intelligence plays a critical role in modern cybersecurity operations. Threat intelligence delivers the context about attackers' motives and methods that teams need to react as effectively as possible against threats to their IT resources.
Keep reading for a primer on what threat intelligence means, why it's important, and what to consider when implementing a threat intelligence strategy.
Threat intelligence is the collection and analysis of data that reveals what, why, and how cyber attackers are operating.
In other words, threat intelligence is the process of leveraging data to determine the motives, targets, and next moves of an attacker. It provides critical context that allows security engineers, developers, and IT teams to predict what attackers are going to do next, estimate the resources that attackers have at their disposal, predict which IT assets the attackers are likely to focus on, and understand what attackers will do with the assets that they have already compromised.
By delivering these insights, threat intelligence provides organizations with the information they need to react efficiently and effectively to threats. Instead of merely detecting that an attack has occurred and taking whichever steps seem most obvious to respond, threat intelligence helps teams see the bigger picture. In turn, it places them in a stronger position to outsmart their adversaries.
Threat intelligence is based on information collected about threats and attackers. But threat intelligence is more than just threat information.
To deliver effective threat intelligence, threat information must be correlated with as much contextual information (such as when a threat first appeared and which other organizations it has targeted) as possible. Expert security analysts then analyze the threat information to provide guidance about the nature of the threat, along with actionable tips that organizations can use to react to the threat.
Thus, whereas threat information is simply data pertaining to a threat, threat intelligence is curated, actionable guidance that teams can use to respond meaningfully to a threat.
Without threat intelligence, security operations tend to look like a game of whack-a-mole. Teams detect a threat or a breach, then respond in the most direct way possible. They might block an IP address from which an attack originated, for instance, or update a service that was left unpatched against a known vulnerability.
But because steps like these only address attacks at the surface level, the threat is likely to keep coming back. The attackers will find a new host from which to operate, or they'll find a new vulnerability to exploit.
With threat intelligence, teams can do more than just hit back against each attack as it pops up. When they understand the broader motives and techniques of the attackers, they can take comprehensive steps to remediate the threat entirely.
To put this another way, threat intelligence helps organizations gain the initiative. Without threat intelligence, you're stuck reacting to each move that attackers make. Threat intelligence puts you in the driver's seat, allowing you to take proactive steps to mitigate the ability of attackers to act.
To understand the value of threat intelligence, imagine a scenario where a team detects an unknown host running port scans against its servers. Without threat intelligence, it's anyone's guess as to who is doing the scanning or what they're hoping to achieve. The team could block the hosts from which the scans originate, but that would not achieve much, because the attackers can simply switch to different hosts.
But with threat intelligence data, the organization could determine that the attackers are cybercriminals whose motive is to access personally identifiable information, and whose preferred intrusion technique involves finding an unsecured open port. The team would then know that it should audit its port usage in order to defend against the attackers' technique, while also hardening its protections for storage resources that house personal data in order to provide another layer of defense in case the network perimeter is breached.
What's more, if the team were to determine that the attackers already found and exploited an open port, threat intelligence would allow the team to know what the next moves of the attackers would be (which would be trying to find and copy personal data in this scenario).
Having intelligence like that on hand is immensely valuable when you know your perimeter was breached and you need to figure out what the consequences were. Without threat intelligence, you'd have to check every log from every system to try to determine what the attackers did. Threat intelligence helps you pinpoint their most likely targets so you can start your review there.
Threat intelligence can be broken down into multiple stages or processes:
Planning: Teams responsible for responding to threats identify the types of threats and threat actors they need to analyze and understand.
Data collection: After identifying threat intelligence goals, the organization collects raw data that contains the insights necessary to achieve those goals.
Data analysis: By aggregating data from multiple sources and analyzing it collectively, the organization can draw conclusions about the nature of each identified threat. At this point, threat intelligence has been generated.
Sharing: After threat intelligence is available, it must be shared with relevant stakeholders. These include not just security engineers, who typically take the lead in threat response, but also IT engineers, developers, and possibly non-technical business units that are impacted by the threat.
Continuous improvement: After threats have been remediated with the help of threat intelligence, organizations should evaluate the process and find opportunities for improvement. Maybe they could incorporate more data, for instance, or share intelligence faster. No matter how effective your threat intelligence operation is, you should strive continuously to make it better.
You can think of threat intelligence as a cyclical set of processes. The improvement process feeds back into planning, and it starts all over again. Threats are always evolving, and threat intelligence must evolve with them.
Threat intelligence can take a variety of forms, some of which are better than others. To leverage the greatest value, strive to implement threat intelligence focused on the following goals.
Threats come in many forms and involve many variables. They range from cybercriminals using phishing to break into systems and steal financial data, to nation-state threat actors spreading disinformation, to corporate spies relying on malicious insiders to plant malware, and beyond.
Your threat intelligence strategy must provide insights into any and all threats you may encounter. Although you can and should prioritize the threats that are most common in your industry or geographic region, you must also be prepared with threat intelligence that can help you respond when unexpected threats emerge.
The more data you can correlate with threat intelligence, the clearer the context you'll have for detecting and responding to threats. Toward that end, strive to integrate threat intelligence data with other data sources, even if they don't have direct security implications. For example, the ability to correlate server and application logs with threat intelligence is often crucial for determining which specific systems and applications are affected by the threats in question.
Don't manage threats just to manage threats. Your ultimate goal should always be to understand the impact of a threat on the business, and to take steps to mitigate that impact. Think about how many users would be impacted by a threat, how serious the damage that could result from the threat would be, and so on, and then take steps to minimize the number of users affected or the seriousness of the attack. These strategies help align threat intelligence with business priorities.
Sumo Logic's CrowdStrike integration makes it easy to use the data you already collect in Sumo Logic as the basis for deep insights into cyber threats. Using a constantly updated threat database, Sumo Logic can detect relevant threats based on your log data and provide the intelligence you need to respond effectively.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.
Start free trial