Dynamic Disruption Everywhere
Over 400 IT professionals weigh in on the unprecedented challenges being faced in maintaining optimal service delivery and safeguarding critical assets.
Threat intelligence is defined as the evidence-based knowledge used to inform decisions and prioritization efforts for organizational response to known or potential cyberattacks. This includes a broad application of information, tools, and policies that allow an organization to minimize the risk presented by cybersecurity threats.
Unlike other more standardized cybersecurity disciplines like endpoint security, threat intelligence definition and practice may vary by organization. In general, the concept encompasses all efforts to bolster security posture through incident response, reporting, and compliance remediation. Common elements of threat intelligence focus on data collection to prepare for, prevent, identify, and remediate security events that can compromise valuable resources.
To effectively leverage threat intelligence in cybersecurity, one must adopt a holistic approach with multiple phases. Within each phase, a similar dedication to comprehensive data collection and analysis is required.
Threat intelligence can produce quantifiable, ongoing benefits for any organization. This is especially true during detection and response. By leveraging enriched flow records and ready access to individual packets, anomalous activity and lateral movement patterns can be identified quickly during the detection phase. High visibility into user, IP, and MAC relationships means other impacted devices can be assessed and customer exposure minimized.
Investigation efficiency translates directly into cost savings during the response phase. Studies have shown that breach response cycles of less than 200 days are on average $1.2M less costly than those spanning 200 days or more. Information is at the heart of this improved efficiency. Recorded threat intelligence data is proof of what was exfiltrated, when, and how much. Reporting costs and regulatory fines from privacy legislation like GDPR and CCPA are also minimized through detailed data capture and expedited response times.
Threat intelligence using flow-based solutions goes far beyond basic status report generation. Optimized threat intel adds a layer of analytical sophistication to the flow-based capture, leveraging multiple techniques to produce complete solutions.
Integrating authentication details from Active Directory, IP addresses from NetFlow, MAC addresses from ARP tables, and cloud data provides unprecedented network visibility. Backed by full fidelity forensics, enriched flow-based data also enables IP blacklists and traffic profile baselines to be continually updated and improved.
Cybersecurity intelligence data can be used to produce real-time threat maps that drill down to specific network monitoring use cases. This includes threat intel on who is (or was) using the rogue device and where it is located. Threat maps also provide insight into the communication history of the rogue device that point to root cause and exposure levels. Full packet capture can be used to “rewind” directly to critical moments in the breach or malicious event history so that detailed network conversations can be analyzed.
Vulnerability management is closely related to threat intelligence. Specific vulnerabilities inherent to web applications or network infrastructure are what bad actors rely on for their mode of entry. Although vulnerability threat intelligence is an important subset of a holistic strategy, the two concepts differ in focus and scope.
Vulnerability threat intelligence is integral to protection and detection efforts. Penetration testing or pen testing is a common practice for subjecting the network to attempted breaches that simulate real world hacking. Appropriate security patches and other vulnerability remediation tasks are prioritized and deployed in a continuous fortification cycle.
By using threat intelligence to develop threat actor profiles, IP blacklists, and rich historical context on the tactics, techniques, and procedures (TTPs) of intruders, vulnerability prioritization can be better aligned with emerging trends. This application of informed decision making underscores the potential of data-centric cyber threat intelligence.
A combination of user-centric flow analysis and deep packet capture enables the full power of threat intelligence to be leveraged. VIAVI has developed industry leading tools to optimize detection and response cycles while enhancing overall network security.
Using a mixture of authentication tools makes it difficult to quickly trace host device identification, location, and communication channels during detection. Observer GigaFlow bolsters threat intelligence by combining infrastructure, network, and user data into enriched flow records that are stored for convenient recall and analysis. Unauthorized device infiltration, lateral movement, or other rogue activities are identified in seconds rather than hours or days.
The GigaFlow interactive IP Viewer provides a window into the network application, user, IP, and MAC relationships. Simply entering a host device or username produces an instantaneous trace of associated Layer 2 and 3 device and application usage details. This capability extends to all network infrastructure including elements not generating conventional flow data.
Packet capture is an invaluable threat intelligence detection and response tool that streamlines troubleshooting and significantly reduces dwell time. The VIAVI Observer GigaStor is the industry leading packet capture appliance with blazing wire capture and data mining speeds to keep up with the fastest enterprise networks. Each stored packet contains detailed breakouts of network conversations and transactions that can be recalled during the security breach response phase.
Once intrusive software or malware has eluded the intrusion detection system (IDS), it often moves rapidly throughout the network as it probes internally. Backdoors that bypass normal authentication might be used to leave without a trace. Using packet capture, a permanent and complete historical record of this activity can be recalled days or weeks later with precision. The location and impact of the initial breach can be identified quickly, minimizing dwell time and user impact.
When solving a crime, multiple eyewitnesses, forensic evidence, and fingerprinting are the typical precursors of an open and shut case. These same principles apply to cybersecurity intelligence. Enriched flow data and packet capture combine to form a big picture view that identifies bad actors and their tactics. Comprehensive threat intelligence data is equally useful for breach remediation and repair.
Events like DDoS attacks leave distinctive fingerprints, with thousands of connection attempts flooding a service simultaneously. Packet capture produces permanent forensic records of these events that can be reconstructed to analyze the attack and prevent future occurrences. Combined enriched flow data and packet capture can be used to pinpoint with certainty where the bad actor got in, whether they are still there, and how the problem can be fixed efficiently.
Office communication and networking are morphing into a conglomeration of commercial networks, private users and devices, and an increasing reliance on cloud computing. This new reality leads to a mixture of private/personal application usage, unprecedented geographical disparity of network users, and more unsecured endpoints. These endpoints are ready opportunities for hackers, accelerating the need for comprehensive threat intelligence in cybersecurity.
The cost of a cyber threat intelligence failure can be measured in stolen data, regulatory fines, and system downtime. Less quantifiable is the potential loss of hard-won reputation and consumer confidence. With cyber-attacks now a continuous and unavoidable reality, having the right threat intelligence tools to mitigate customer perception through rapid containment and remediation makes good business sense.
The unexpected acceleration of the remote workplace is an example of unplanned change stacked upon planned titanic shifts in the network landscape. The IoT is introducing a new layer of endpoints for objects ranging from medical devices to automobiles and trains. Cyber threat intelligence will be relied upon to protect users and their data, along with the objects and services subject to theft, tampering, and privacy intrusion.
One certainty in the near term is that cybersecurity attacks will continue to grow in number and sophistication. Telecommuting has coincided with a spike in malicious cyber-attacks, and this uptick in activity is not expected to abate any time soon. Socioeconomic conditions, access to technology, and anonymity continue to incentivize bad actors to join the fray with new attacks occurring every 39 seconds. However, when enriched flow records and packet data are utilized to their fullest potential, the enormous threat posed by these trends can be mitigated significantly.