Share this article
Why organisations need to adopt a bespoke threat intelligence strategy for maximum protection.
Cyber risk management means understanding the environment you are operating in so that you can predict the likelihood of an incident occurring, and design and implement appropriate mitigation strategies to minimise the probability and disruption.
That environment includes constantly adapting adversaries that have established collaborative networks that operate in private, in the darkest recesses of the internet. Designing appropriate strategies means first identifying what can be found in these underground networks.
The key to identifying emerging threats before they develop into significant risks is to undertake intelligence monitoring.
Threat intelligence experts can find stolen data, personal information, breached credentials, proprietary code and other sensitive data.
Finding these stolen assets can often be the first indication that you have had a breach. Breaches can remain undetected for longer than you might think.
It can take months before internal security teams become aware of a breach and why undertaking regular external intelligence monitoring can minimise the dwell time of some attacks.
The aim of threat intelligence is to find actionable data that can be used to better understand threats and put mitigation strategies in place to protect company networks and endpoints from attacks.
Threat intelligence experts are looking for information such as the identity of attackers, capabilities, motivations and plans. This allows security experts to learn about attacks that are planned or are in progress before the damage is done.
Threat intelligence is about looking beyond your boundaries and using a variety of tools and techniques to find information that criminals don’t want to share.
Just as police forces around the world look to listen in to criminals’ conversations and monitor their activities, cyber security experts do the same by surveying hard-to-detect underground websites and the Dark Web – the almost invisible part of the internet frequented by criminals – to monitor their activity and assess risk.
Recently, a major payments platform learned of activity in Dark Web markets with Australian threat actors offering “cash out services” for financial cards. And a fast-food chain identified a criminal gang trafficking vouchers for free or discounted meals.
In order to understand adversaries or track them down after an attack, threat intelligence experts need to learn how they operate.
That means infiltrating hacker communities, finding the places where online criminals share information and surveying the marketplaces where they sell and exchange everything from stolen passwords to complex tools and methods for breaking into enterprise and government systems.
By obtaining data breach intelligence and analysing password reuse possibilities, a financial services company recently learned that a hacked social media account led to a potential breach of the company VPN.
A high-ranking employee was using the same password for the VPN as their social accounts. When the social media accounts were compromised, the VPN became vulnerable. It was only by scouring the Dark Web that the threat was detected and neutralised.
Navigating this complex labyrinth is about more than finding an IP address and connecting to TOR or finding an Internet Relay Chat channel. It requires a variety of different intelligence gathering techniques, tools and knowledge that are far outside the capability of traditional scanning tools and penetration testing.
These tools do have a place in your cyber security arsenal, but these are not enough to thwart the most determined, sophisticated and well-resourced cyber criminals.
Even the purchase of new infrastructure can be a source of risk. A large company was about to install a new security camera system but were concerned about security.
They were especially concerned because several of the cameras under consideration are manufactured in China and the risk of state-sponsored backdoors was a concern.
By reviewing all of the manufacturers, each camera was allocated a rank based on security and reliability of each of the camera’s providers. This enabled the utility to choose the most secure vendor for their new surveillance system.
Threat intelligence monitoring can be executed in several different ways. A good place to start is to undertake a one-off “snapshot”.
After first gaining an understanding of your organisation, a threat intelligence expert can conduct a survey of the broader threat landscape and identify if any of your confidential information has been stolen and is accessible online, whether you’re being targeted by a specific attacker, or if you are at risk of a new attack method.
This approach can be repeated at regular intervals as part of a broader security strategy that involves penetration testing and other proactive security measures.
For organisations that feel they are at a heightened level of risk, they can engage with experts that conduct ongoing monitoring. As new risks emerge, you can be notified so you can put appropriate mitigation processes in place.
If you’ve unfortunately suffered an attack, you can conduct post-incident threat intelligence in order to understand the impact of the breach. For example, experts can look on criminal marketplaces and the Dark Web to see if any stolen data is being traded or made available in some way.
They can also learn about how the breach occurred so you can put steps in place to minimise the risk of a repeat attack.
When an unauthorised cryptocurrency miner was detected in a corporate network, it was possible to trace the source all the way to a specific individual in the United States by taking a deep look at how the hacker infiltrated the network. This allowed the victim of the attack to update its security protocols to minimise the chance of another breach.
Threat intelligence is one of the most powerful tools organisations have at their disposal to understand and mitigate the risks of a cyber attack.
By monitoring the activities of criminals, experts can design strategies to avoid or minimise the damage from an attack.
It also allows for a more thorough post-incident review with the potential for knowing who carried out an attack, what tools and methods they used and how to manage ongoing risk.
Speak with a Tesserent
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.