teissTalk: Threat intelligence gathering

teissTalk: Threat intelligence gathering

teissTalk host Geoff White was joined by Simon Goldsmith, Director – Information Security, OVO; Michael Owen, Senior Pre-Sales, UK&I, IntSights; and Richard Morgan, Head of Security Services at RSA Insurance Ltd.

Views on news

NCSC’s 2021 review is out. This year, the Centre has taken down more than 2.3 million cyber-enabled ‘commodity campaigns’ –unsophisticated, off-the-shelf ‘spoofing’ scams that are easy for low-level criminals to post on the internet – including 442 phishing campaigns that used NHS branding and 80 illegitimate NHS apps.

Ransomware – an old type of crime combined with new tricks that has no geographical constraints – however, is still topping the charts. The panel has appreciated the leverage the NCSC’s report can give to infosecurity and threat intelligence experts when pitching investments to senior stakeholders.  In that context, a business’s intelligence analysts can be seen as “journalists”, who help communicate probabilities and fill “a story” meant for stakeholders with facts.

The purposes and methods of threat intelligence gathering and usage

The reasons for threat intelligence gathering can vary. One major use case is communicating cyber risk to senior stakeholders. But threat intelligence is also key to making preparations for tackling cyber risk strategically. Meanwhile, threat modelling is an expensive exercise involving simulating threats in your own business environment with the help of purple teaming. Theoretically, this is what all service teams should do before making changes to an existing service or standing up a new one. In practice, it’s more about identifying and tackling the most critical security risks (OWASPS).

A good vendor doesn’t just equip a client with a dashboard but offers your analysts an opportunity to discuss security issues with their professionals; it also seeks to provide a customised service tailored to a business’s needs and the sector it’s in. Ideally, threat intelligence vendors can track down foreign threat actors and do their best to identify attackers’ intentions and motivation to see whether they are genuinely malicious or more on the more benign end of the spectrum. They will also tell their clients which of their vulnerabilities are likely to be weaponised in the medium term. Threat Intelligence providers sometimes find it hard to get their message across to customers as their service is often bundled with SIM (Security Information Management), cloud and information security solutions.

The panel’s advice

When assessing the quality of a threat report, check the liability of its sources, the credibility of the information it provides, as well as how this information is presented.

The threat intelligence tasks that organisations can perform internally include identifying what the cyberdefence requirements of the business are and what questions need to be asked from its threat intelligence provider. You need to establish what your assets are and how strong they are.  Once you get the threat intelligence product and get to the dissemination stage, establish whether it can be used straight away or needs to be translated for senior stakeholders or processed for a testing programme.

Make sure your business acts on the threat intelligence provided by vendors and avoid regarding threat intelligence gathering as a tick-the-box exercise. Remember the bon mot that Simon cited, “threat intelligence can be a threat to intelligence”. Information will only become intelligence if it’s actionable and contextually relevant.  

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]