Cyber Threat Intelligence: The Key to Threat Surveillance
By William Wetherill - Director of Cybersecurity Operations - DefenseStorm
Am I safe? It seems like a simple question; however, this question really asks, “Am I at risk of suffering a successful cyber attack?” If you are familiar with risk treatments, then you know there is rarely a straightforward yes or no answer, making this a much more complex question. This concern inevitably weighs on the minds of those of us with a responsibility to protect our organizations against cyber attacks. After learning about a cyber attack on the news or reading how cybercriminals are targeting your industry, this question is one of many that keeps frontline cybersecurity workers up at night. Credit unions, in particular, are a prime target for cyber attacks due to the data and valuable assets they are entrusted to protect. Stories of cyberattacks on the financial services industry continue to dominate headlines, and threat actors are becoming more innovative and audacious in their attempts to breach systems. So, how do we prepare for these challenging attacks? Prioritize the collection of cyber threat intelligence and use it to drive alerting in your operational environment, resulting in more efficient threat surveillance and, ultimately, a more effective cyber risk management program.
Threat Intelligence 101
News about cyber attacks is generally split into two categories: zero-days and powerful exploits. A zero-day is any attack that we have “zero days” to prepare for, and those powerful exploits are tools that allow attackers to compromise common or hard-to-patch services. In other words, both types of attacks have a high chance of success, so credit unions must diligently and continually gather cyber threat intelligence to enhance their cybersecurity posture and protect their members from potential cyber-attacks.
Cyber threat intelligence is a collection of indicators that act as clues to detect events that warrant an investigation. Some indicators may be stronger than others, but intelligence generally encompasses the tactics, techniques, and processes threat actors use, even identifying new and different attempts by cybercriminals. This intelligence can be compelling for a security operations team, as cybercriminals constantly try to stay hidden and under the radar. In this game of cat and mouse, think of threat intelligence like crumbs of cheese or scratches on the wall that indicate the presence of mice and the need to investigate further.
From an operational perspective, threat intelligence is any information integrated into the system or process to help detect potential cyberattacks and is gathered from a variety of different sources. In some cases, specific tactics like those outlined within the Mitre ATT&CK framework and technical briefings or those provided by the National Security Agency (NSA), Department of Homeland Security (DHS), and Federal Bureau of Investigation (FBI) can be considered threat intelligence. Even the Federal Financial Institutions Examination Council (FFIEC) offers information that could be regarded as threat intelligence. This type of intelligence guides alert creation and educates staff on how attacks play out. The more current the data, the better!
The Power of Threat Intelligence Feeds
Even with all the sources of threat intelligence, cybercriminals still find novel ways to attack us, and that is where threat intelligence feeds come in. A feed is a collection of artifacts that integrate into our alerting software to inform us immediately when there is evidence of a known malicious action. A well-managed threat intelligence feed contains up-to-date and specific indicators for active attacks.
Not all intelligence fits in a neat package, but the majority of threat intelligence will either be network indicators, such as IP addresses or URLs, or file indicators, which could be file names or, better yet, file hashes [a unique signature for data that helps to identify it in a verifiable way]. Depending on your monitoring software, there is the ability to build your own feed from discovered indicators or subscribe to feeds that are managed by threat intelligence professionals. Feeds tailored to your industry are most beneficial. This “just-in-time” data can be a literal business-saver because the ability to spot a threat quickly based on indicators from ongoing attacks or recently released information is incredibly powerful. But threat feeds are only as good as the data within them, so continuous maintenance is crucial.
Threat feed maintenance requires you to “keep your finger on the pulse,” as new indicators can appear anytime. This is generally done through open-source intelligence gathering (OSINT), which pulls from many different online sources, including but not limited to Twitter, Really Simple Syndication (RSS) feeds, or dedicated security sites. Maintenance requires testing indicators for reliability and phasing out old indicators that are no longer actionable. Attackers constantly change their tactics, so a high-quality threat feed should also be adaptable and updated regularly.
The Future of Threat Surveillance
While all risks cannot be eradicated, efficiently integrating threat intelligence gathering into business operations can significantly reduce the impact of potential risks. Credit unions can then proactively identify and mitigate potential threats before they materialize, creating a powerful threat surveillance solution. This approach not only minimizes the risk of financial loss and reputational damage but also enhances overall security posture. Combine powerful threat intelligence data with 24/7/365 monitoring, and you have the answer to your question about whether your credit union is safe because proactive and vigilant preparation defines safety.