Threat intelligence is a necessary element of any cybersecurity program because without it, vulnerability management is almost impossible. As of this writing, NIST had published 161,463 vulnerabilities, any one of which may or may not be relevant to a particular company.
Without threat intelligence, security teams tend to prioritize vulnerabilities based on their severity. Bad actors know this, which is why they often exploit medium severity vulnerabilities. Conversely, with threat intelligence, organizations can focus on and prioritize the vulnerabilities that are relevant to them.
Threat intelligence is not one thing, however. Like other aspects of cybersecurity, it involves different kinds of technology, some of which overlap in terms of capabilities.
“Intelligent” threat intelligence
AI is seeping into every imaginable type of software, including cybersecurity tools. In a threat intelligence context, AI identifies potential threats, analyzes them and helps to resolve the issue (automatically, by making recommendations and/or escalating the matter to cybersecurity professionals).
Cyber automation is necessary because so many attacks are automated. If enterprises fail to automate threat intelligence, they’re fighting a battle they can’t possibly win.
Some of the things cyber automation can do include:
- Assessing threats in the network;
- Preventing an attack from advancing further;
- Proactively preventing a threat;
- Identifying groups of threats which behave similarly; and
- Enabling predictive vulnerability assessment.
The intelligence aspect of cyber AI detects and analyzes threats. It also speeds remediation by taking proactive action or providing security professionals with actionable intelligence.
Security Information and Event Management (SIEM) analyzes the security alerts generated by applications and network hardware and generates security logs that can be used for reporting, compliance and auditing purposes. SIEM is available in different forms including software, hardware (appliances) and managed services.
In addition to aggregating data from various sources, SIEM also correlates data and provides an automated analysis of correlated events which are displayed in a dashboard. The data it collects can be used for forensic analysis, to detect configuration issues, to identify attackers and victims and to pinpoint various types of activity including brute force, denial of service and zero-day attacks.
Security Orchestration, Automation and Response (SOAR) also provides essential intelligence. Its security orchestration capabilities integrate various tools such as behavioral analytics, endpoint security, firewalls, intrusion detection and prevention systems (IDSs and IPSs), SIEM and more. Its automation capabilities enable continuous monitoring, the automation of previously manual tasks such as vulnerability scanning, automated response and handoffs to security professionals as needed.
IDS, IDR, IPS
Intrusion detection systems (IDSs) followed the introduction of firewalls when it became obvious that firewalls could not keep hackers out of systems and networks. IDSs detect a breach in an effort to minimize the potential damage. Today’s IDSs are either signature-based or anomaly-based.
One of the challenges with traditional IDSs is their lack of response intelligence. While traditional IDSs can identify what happened, they don’t include the recommendation aspect which is present in more modern Intrusion Detection and Response (IDR) options. With the help of AI, the IDR systems are constantly identifying and monitoring threats and accelerating remediation.
Intrusion prevention systems (IPSs) proactively identify threats through continuous monitoring. They detect patterns that suggest potential incidents and threats. Unlike IDSs, their purpose is to prevent attacks from happening in the first place.
OSINT and Dark Web
Open-source intelligence (OSINT) uses publicly available resources such as information that can be found on the Internet, in the media, in research papers or journals, on corporate websites, in IP databases (e.g., the U.S. Patent and Trademark office (USPTO), social media and more. This information can be combined with information on the Dark Web to help identify cybercriminals. OSINT can be used to identify data hackers could use against an organization such as information about employees, IT assets or the company.