On April 30, data from pilots of American Airlines Group Inc. and Southwest Airlines Co. was exfiltrated, compromising the personally identifiable information (PII) of at least 8,700 records. This PII data may have included social security numbers, driver’s license information, passport numbers, and other government-issued personal information. Hackers successfully breached data from a third-party online recruitment agency, Pilot Credentials, although the specific method of the attack remains unclear.
This was just one in a string of incidents of third-party supply chain attacks affecting the travel industry, along with the MoveIt supply chain attack, which affected British Airways, compromising their employees’ personal data.
Security professionals agree that the best line of defense for your organization against these types of data breaches is with a combination of threat intelligence tools from open source, commercial and vendor threat feeds. While open-source intelligence tools collect data from the deep, dark and open web, commercial intelligence tools use a combination of open and commercial threat data. Commercial threat intelligence tools also have the added value of analyzing, enriching, and integrating that data with other security tools.
Why Threat Intelligence is Important for Organizations
With the number of malware, DDoS and botnet attacks occuring every day, it’s critical that organizations have threat intelligence solutions to protect them against both current cyber threats and emerging threats. Threat intelligence works with threat detection to allow organizations to identify how an attacker might target your organization and how it can best defend itself.
Other benefits of threat intelligence include:
- Fewer false positives. Proper threat intelligence delivers context of each threat and prioritizes them so that your security team isn’t overwhelmed by threats that are insignificant.
- Faster response. The ability to process threat data in a structured manner allows your organization’s incident response teams to deliver a quicker response than it would if it had to deal with unstructured, raw data.
- A proactive approach. By using threat intelligence to strengthen your organization’s security posture, you’ll move away from a reactive approach to dealing with cyber threats. For example, it can detect which types of internal controls are most likely to be bypassed, and put company-wide policies in place to strengthen those internal controls.
- More effective communication. Staying ahead of evolving threats enables your security team to effectively communicate them to management, IT, the board and business leaders so that they understand the potential impact and can put the right policies in place to mitigate or remediate against those threats.
- Minimizing data breaches. Threat intelligence tools enable data leak detection at the earliest stages to mitigate leaks and security incidents and improve incident response time. This in turn minimizes the reputational damage, financial cost, legal fees and operational cost that could impact your organization.
- Fewer third-party risks. Threat intelligence tools can also help remediate and mitigate against third party risk through ongoing monitoring of third parties, identifying vulnerabilities and detecting data breaches.
The Main Types of Cyber Threat Intelligence (CTI)
Organizations only benefit from these advantages, however, if they employ a variety of different types of cyber threat intelligence to effectively identify and mitigate against threats. This helps ensure that you can identify threats over different geographic regions, different types and methods of threats, different actors and sources for threats, and in different contexts.
The four main categories of threat intelligence are:
1) Strategic threat intelligence
Strategic threat intelligence includes non-technical information that communicates the risk and business impact to senior executives and managers, including the board of directors. It might include information such as the latest changes in cybersecurity regulations and compliance, how your organization might be impacted and what you can do to stay compliant as the regulations evolve. CISA’s news and events page is an example of a strategic threat intelligence tool that provides information about the latest security measures organizations should take.
2) Tactical threat intelligence
This type of threat intelligence focuses on TTPs of attackers, such as the infrastructure, attack vector, tools, targets and types of businesses attackers are using. For example, it might identify that your organization is vulnerable to a specific type of malware attack, which IOCs to look out for and how to mitigate against them. For example, BlockList.de is a tactical threat intelligence tool that allows users to search for known malicious IP addresses.
3) Operational threat intelligence
Operational threat intelligence feeds gather information about the intent and method of the attack. For example, it might include the attack vectors used, the vulnerabilities exploited, and other valuable information the IT team can use to actively prevent these types of attacks. Have I Been Pwned (HIBP) is an example of an operational threat intelligence tool that collects data from different data breaches so that users can verify whether or not their account has been breached.
4) Technical threat intelligence
Technical threat intelligence focuses on IOCs, information about IP addresses and domains associated with malicious behavior, traces from malware samples such as changes to a registry and other information pertinent the SOC staff needs to know to mitigate and defend against cyberattacks. The Malware Information Sharing Platform, or MISP, is a technical threat intelligence tool that allows you to identify IOCs and correlate them with indicators of different malware and attacks.
The 6 Phases of the Threat Intelligence Lifecycle
Each phase of the threat intelligence lifecycle can be tweaked to ensure a different outcome if an organization decides it is not achieving its goals for risk management.
The phases include:
1) Planning and Direction
This stage defines the goals of your organization’s threat intelligence and the types of intelligence it would like to focus on. For example, your goals might be to have more effective technical threat intelligence, or it might be to develop faster incidence and response.
Your goals should also include which assets and targets you are protecting as well as how they might contribute to additional cybersecurity tools and your organization’s network and infrastructure.
Data is gathered from a variety of sources, including logs, data from security devices and networks, threat data feeds, as well as open, deep and dark web sources. The type of data, amount and the quality of the data should all be determined during this phase.
Data processing includes taking raw data and formatting it so that it can be used by all members of your security and IT team. For example, data processing could include taking unstructured raw data from the open, deep and dark web and structuring it so that it can be further analyzed by other security tools.
Data is analyzed for anomalous behavior, patterns, context and other insights so that your organization can take proper action, including remediation and mitigation efforts. The data should be scrutinized to ensure that it is accurate, relevant and reliable before disseminating it to the relevant parties.
Data is disseminated to the different members of your organization. At this phase, the organization needs to determine how to best present the threat intelligence data to different departments and leaders and who is most likely to benefit from the information.
The threat intelligence cycle is reviewed and relevant stakeholders are asked how relevant the threat data is, if it was helpful in addressing security incidents and if the threat intelligence data can be improved in any way. Overall, the organization should evaluate whether or not the threat data helped them achieve its goals.
How Threat Intelligence Tools Find Cyber Threat Indicators of Compromise (IOCs)
Threat actors often behave in a manner that indicates that they are planning an attack. Artificial intelligence tools and machine learning algorithms are able to continuously establish a baseline for usual patterns to quickly detect any anomalous behavior.
These behaviors include:
- Sharp spikes in database volumes. A higher than usual volume of data may indicate an attacker attempting to steal data from the database, such as all the credit card or social security numbers of users.
- Unusual domain name system (DNS) requests. If your security team detects different DNS requests than usual, it could signal a command and control attack.
- Abnormal network traffic. This includes both anomalous and suspicious behavior. For example, if there is more incoming or outgoing traffic than usual, unauthorized attempts to access the network, or use of protocols that are beyond the expected.
- Irregular activity of privileged access users. This behavior could indicate an attack of a malicious insider or the ability of an attacker to bypass authorization or user permission controls.
- An unusually high number of requests for the same file. This signals that a bad actor is attempting to gain access to the file, using different methods until he is finally successful.
- Numerous failed sign-in attempts. This could indicate an attacker attempting to gain access to unauthorized data. Sign-ins could be blocked with a security tool because they are detected as anomalous behavior, either from an unusual account, an unusual time, or a different location than sign-ins of a similar nature.
- Unscheduled software updates or installations. This could indicate attempts of bad actors to launch malware, execute a ransomware attack or gain unauthorized access to your network.
What Organizations Should Evaluate in Threat Intelligence Tools
Cybersecurity professionals are responsible for ensuring their security tools deliver real-time threat intelligence to identify and mitigate against security incidents, data leaks, vulnerabilities and cyber threats so that incident response teams can be as effective as possible.
Regardless of the category and type of threat intelligence your organization is looking to focus on, your threat intelligence tool should include:
- Data collection and analysis. It must be able to gather data from multiple sources, including open, deep, dark and commercial sources and analyze them accordingly.
- Focus on external threats. It must be able to meet this primary goal of threat intelligence tools, although they may integrate with other security tools that protect against additional threats such as Known Exploited Vulnerabilities.
- Comprehensive visibility. It should be able to provide context of the threats so that organizations have a deep understanding of the TTPs, attack vectors and motivations of attackers.
- Accurate security monitoring. Although it has comprehensive data from multiple sources, it should be able to prioritize threats accurately to minimize false positives, which direct time and resources away from the security and IT team.
- Integrates with your IT environment. This integration should include not only your hardware, cloud and network infrastructure but also third-party security tools so that it can deliver visibility and contextual information about emerging threats.
Examples of Types of Cyber Threat Intelligence Tools
Although many well-known organizations offer commercial cyber threat intelligence tools, there are a number of open source threat intelligence tools available as well. While open source tools have the advantage of being free and available to anyone and leverage the experience of a community of security experts, they are also available to malicious threat actors as well.
These open source tools can also be divided into a few different categories:
- Security information and event management (SIEM) tools. SIEM tools collect data from servers, network devices, applications, etc. Context is then added to the data through threat intelligence feeds and analyzed in real-time.
- Malware disassemblers. These tools reverse engineer malware, helping security teams understand how they work so that they can protect your organization against similar attacks.
- Threat intelligence communities. These tools include many organizations that work together to gather data about the most recent attacks, IOCs, vulnerabilities, etc, with the goal of better threat analysis and defense.
- Network traffic analysis. These tools identify traffic anomalies, bottlenecks, and latencies to help identify suspicious behavior, such as communication with malicious IP addresses, optimize performance and investigate to track and understand the steps attackers took that led to any security incidents.
How Panorays Helps Manage Third-Party Cyber Risk
Panorays integrates with both open source and commercial threat intelligence tools to defend against third-party risk. Its automated security questionnaires, combined with its external attack surface assessments, enable organizations to defend against third, fourth and n-th party risks and meet new compliance standards such as DORA, GDPR and NYDFS. It also tracks and manages SBOM information from third parties to ensure they meet these regulations and compliance standards as well.
Panorays’ near real-time intelligence goes beyond traditional Governance, Risk Management and Compliance (GRC) cybersecurity solutions to identify Known Exploited Vulnerabilities (KEVs), Common Vulnerabilities and Exposures (CVEs) and data breach information and other security threats in your third and fourth parties so that your organization can better manage risk.
In addition to assessing your organization’s external attack surface, organizations can use its dark web insights to monitor and evaluate whether the brand has been mentioned on dark web forums, and marketplaces and if it is at risk of a data breach.
Threat intelligence tools deliver information about the latest indicators of compromise (IOCs), attack methods, types and vectors attackers would use to infiltrate your network or infrastructure. Depending on the type of tool, the information can be operational, tactical, strategic or technical. Threat intelligence tools also fall into different categories. For instance, they could be narrowly focused on detecting, analyzing and reverse-engineering malware, or they could include lots of different data pooled from various organizational, community and expert resources.
One example of a threat intelligence tool is Malware Information Sharing Platform (MISP). It is a free, open-source tool that collects high volumes of unstructured information about indicators of compromise (IOCs), suspicious domains and IPs, alerts and reports and structures them so that they can be more easily shared with various parties and integrated into your organization’s other security tools. Other commercial examples of threat intelligence tools are those developed by leading organizations such as Cisco and Kaspersky.
There are four different types of threat intelligence data:
1. Operational threat intelligence. Data that helps determine when and where an attack will occur as well as the motivations of the attacker. For example, it may identify the part of the attack surface most likely to be attacked and suggest methods for protecting the network accordingly.
2. Technical threat intelligence. Data that focuses on IP addresses, the specific type of malware attack, indicators of compromise (IOCs), and other technical information to analyze emerging threats.
3. Tactical threat intelligence. Data that includes the different methods attackers are using (e.g., attack vectors), industries and types of businesses targeted and specific tools and infrastructures.
4. Strategic threat intelligence. Data that includes high-level information and explains non-technical information, such as the business risk of emerging threats or attacks. This data can be presented effectively to high-level managers.
The six stages of the threat intelligence lifecycle include:
1. Planning and Direction. Define your goals, including the assets and targets you’d like to focus on.
2. Collection. Data is collected from a wide variety of sources, including the open, deep and dark web as well as threat data feeds.
3. Processing. Data is processed so that it can be communicated to all members of your organization.
4. Analysis. Data is analyzed for anomalous behavior, patterns, context and other insights so that your organization can take necessary action.
5. Dissemination. Data is distributed to all relevant members of your organization.
6. Feedback. Data is evaluated after the fact to determine its relevancy and if it helped defend against security incidents, or if changes should be made.