Utilising threat intel: More sectors onboard

According to IntSights regional sales director in Asia, Michael Tan, Malaysia just like the rest of Asia, is seeing a higher number of scam campaigns, no thanks the COVID-19 situation. Michael and the CSO of IntSights, Etay Maor share this and further thoughts during an email interview with Enterprise IT News.

EITN: Is there a spike in collaboration tools breaching because of the pandemic?

Etay: I would start at an earlier stage – the current pandemic forced almost the entirety of the workforce to work from home. This in turn caused a spike in demand for collaboration and communication tools. The problem is that you now have many new users as well IT/security teams implementing and using new technologies. Not only that, the tools are installed due to the high demand without thorough analysis of risks. This is where the attackers come into the picture! When you have so many people using technologies that may not be secure, may not offer advance security opt-in features, that may need patching and updates and on top of it all – they are working from home, not from behind the guarding walls of the enterprise IT and security infrastructure – you now have a new attack surface to target.

 EITN: What is the importance of threat monitoring tools and threat intelligence to an organisation?

 Etay: Threat intelligence can help you identify threats before they even reach your organisation. Just as how the military collects intel to better prepare and potentially stop threats before they reach the country – so do businesses. In general, threat intelligence helps your organisation understand who your adversaries are, what they are planning, what tools and techniques you may be facing, the motivations and magnitudes behind threats etc. On the other hand, threat intelligence can also help you understand your organisation’s security posture, what you may be exposing to your adversaries, where you should improve in terms of people, processes and technology. Ultimately, threat intelligence helps you understand and lower the risk and impact of cyber attacks against your organisation.

EITN: Might there be a danger of too much noise from threat intelligence?

 Etay: This is where we need to have a thorough understanding of what threat intelligence is. There are a lot of companies that say they offer threat intelligence but if you really examine it, what they offer is a very narrow and subjective view of the threat landscape.
In classic literature (cyber and military) we identify the three pillars of intelligence. To really have threat intelligence, the data has to be:

  1. Actionable
  2. Reliable
  3. Timely

If it is just two of the three, then you may face problems:

  • If it is not timely – that’s just a historic feed. It does not help stop attacks if they already happened
  • If it is not reliable – that’s just bad data. You are now generating false positives (and missing actual events)
  • If it is not actionable – it’s just a feed. You are getting overloaded with irrelevant data that makes it hard to find what really matters

I would add two more pillars for good cyber threat intelligence:

  1. Holistic – you cannot provide intel just from the deep web, social networks or from scanning open ports. The data has to be holistic in order to truly see the threat landscape as it is. Collecting data from easily monitored sources is simply like an ostrich burying its head to avoid the danger.
  2. Tailored – the data has to be relevant to the organisation and its people, processes and technology. There might be a very serious threat to supervisory control and data acquisition (SCADA) systems. But if you don’t use these systems – it is not relevant to you, so it might be good to know but not something you want your security team prioritising.

If you provide data that is built upon these 3 (or 5) concepts – you are reducing noise and truly providing added value to the security teams and the business as a whole.

EITN: How do organisations know what to focus upon? What kind of reports can threat intelligence generate and whom are the reports’ audience?

Michael: Organisations have to be more proactive in protecting themselves against external cyber threats. They should focus on getting actionable threat intelligence that is relevant to them. Getting threat intelligence reports have been a norm in this market for years. Reports that are specific to regions, industry sectors, and tactics, techniques and procedures (TTP) trends. But this is no longer sufficient now. Organisations need to formulate and implement an effective threat intelligence program that offers visibility and protection continuously in real time with an effective mitigation process. Some of the questions you should ask include:

  • What should my security operations teams be watching for?
  • Where are my adversaries and how they might attack me?
  • How can I reduce the risk of a cyber attack against my company? How can I respond and lay out my mitigation plan if I am being targeted?

EITN: How have customers’ demand for threat intelligence and cybersecurity changed over the past years? Can other solutions like SOCs and SIEMs complement?

Michael: These have changed greatly over the past years as the method that the threat actors are using have evolved. Phishing attacks are becoming more advanced, and social media platforms are being used effectively as threat actors craft sophisticated social engineering attacks to steal credentials, abuse trademarks and to launch scam campaigns.

An effective threat intelligence program should be able to seamlessly integrate into the organisation’s security orchestration and response (SOAR) initiative. One of the key resistances of implementing this program is the additional resource required to manage this. To address this challenge, organisations should be looking into automating the process when possible, from getting the relevant threat intel to auto mitigation of the threats.

EITN: Is there a difference in what Asian, specifically Malaysian customers look to address as compared to elsewhere in the world?

Michael: Malaysia, just like that rest of Asia is seeing higher numbers of scam campaigns that are targeting major organisations and their customers as compared to the rest of the world especially during the current COVID-19 situation. Besides the government and financial institutions that are traditionally sectors that utilise cyber threat intelligence, we also see an increase in interest from eCommerce, online stores and ePayment companies to adopt a more proactive approach in cyber threat intelligence. Key factors for them to consider cyber threat intelligence is the easy adoption, ability to seamlessly integrate with their current security policies and minimal resources required to manage.