A threat intelligence service gathers raw data about existing or emerging threats and threat actors from several sources, and then analyzes and filters that data to produce useable information in the form of management reports and data feeds for automated security control systems. Cyber threat intelligence helps organizations by giving them insights into the mechanisms and implications of threats, allowing them to build defense strategies and frameworks, and reduce their attack surface with the end goals of mitigating harm and protecting their network. Cyber intelligence analysts, also known as cyber threat analysts are information security professionals who use their skills and background knowledge in areas like network administration or network engineering to help counter the activities of cyber criminals such as hackers.
A threat intelligence feed (TI feed) is an ongoing stream of
data related to potential or current threats to an organization's
security.
Types of Threats
Virus, Malware and Trojans
Malware covers a wide range of unwanted programs that can
cause multiple issues for a business, from destroying data to
sapping resources by turning machines into botnets or
cryptocurrency miners.
There are a 3 key categories, such as viruses, which seek to
replicate and spread as widely as possible, Trojans, which gain
entry to networks by disguising themselves as legitimate
applications, and spyware, which looks to monitor an employee's
usage to gather sensitive data.
Phishing
Phishing typically involves sending emails that purport to be
from a recognized and trusted source, usually with a fake
link/attachment that invites them to enter personal details into an
online form. These are often designed as ways to get access to
financial data or username and password combinations.
Ransomware
A specific type of malware, ransomware works by encrypting/
ex-filtering key files on a machine or network, then demanding a
payment - usually in the form of Bitcoin or another cryptocurrency
- to make them accessible again. Depending on the particular type
of ransomware used, an attack may encrypt certain file types that
make it impossible to access critical business information, or
block vital system files that prevents a computer from booting up
altogether.
DDoS
Distributed Denial of Service (DDoS) attacks involve an
attacker flooding a system - often a web server - with traffic
requests until it simply cannot cope with the volume of requests it
is being asked to deliver, with the result being that it slows to a
crawl and is effectively taken offline. Botnets that provide the
resources needed to launch a DDoS attack can be bought on the dark
web for just a few dollars.
Network vulnerabilities
Issues such as zero-day attacks, SQL injections and advanced
persistent threats all seek to take advantage of weaknesses in code
that can allow hackers to gain access to a network in order to
plant malware, ex-filtrate data or damage systems. One of the main
ways hackers do this is by taking advantage of outdated and
unpatched software, so ensuring all systems are up-to-date is vital
in guarding against many of these attacks.
Data Breach
Whether it's social engineering or hacking into a database
using known vulnerabilities, getting data out of an organization is
often the final step of any attack. This usually refers to a series
of measures designed to look for suspicious activities and block
the access and exfiltration of data by unauthorized users. It may
monitor endpoints and send out alerts if data is copied or
transferred outside of normal, approved processes.
Negligent end users
It's often said that the biggest weakness in any security
system is the part sitting behind the keyboard. Malicious insiders
who are looking to extract data or damage systems are a threat that
any business may face, and it can be tough to predict, so it pays
to take precautions. Ensuring all employees have the right level of
access is the first step. Therefore, this needs to be backed up
with effective monitoring that can quickly identify any unusual or
suspicious activity and shut it down, or challenge users to confirm
they have a genuine reason for their actions.
Threat Intelligence Steps
AGGREGATE
Automatically consolidate all sources of cyber threat
intelligence – external and internal – into one location to achieve
a single source of truth.
CONTEXTUALIZE
Data is useless without context when you are trying to make
rapid and informed decisions. Context provides better understanding
of the threat and what it means to your environment.
PRIORITIZE
Massive amounts of data can create an overwhelming amount of
noise, making it difficult to focus on the intelligence which needs
the most attention. Prioritization based on the parameters you set
is critical to ensure relevance.
UTILIZE
Collecting and analyzing cyber threat intelligence is
important, but doesn’t help the organization until you can utilize
it. Automatically applying curated threat data to your environment
turns intelligence into better protection and mitigation.
LEARN
Continuous threat assessment is crucial to keeping your
defenses current. Cyber threat intelligence must be updated and
enriched regularly in order to tune your threat library, stay
focused on what matters and make better decisions.
Strategic intelligence helps an organization look outward;
its primary purpose is to give users information that help form
policy. Tactical intelligence, on the other hand, looks primarily
at the current situation and gives users the information they need
to carry out existing policy initiatives.
Tech Mahindra Approach
- The Threat Intelligence team correlates alerts and follow
a set of intelligence gathering processes which would include
OSSINT, third-party services, CERT inputs, customer inputs and use
of specialized tools to identify threats.
- Relevant and Timely Threat and Vulnerability Advisories
recommending actions to prevent threats in organisation and alerting
Subsidiaries for latest threats and vulnerabilities
- Threat hunting to block possibly suspicious
files/links/downloads using tools (Recorded Future) and behaviour
analysis.
- Security scorecard management for Tech Mahindra and its
subsidiaries and providing remediation/mitigation plans (Verizon,
Upguard, RiskRecon, Looking Glass)
- SOC Logs assessment, to look for anomalies in systems and
network
- Customized Alert monitoring using Tactix ML tool (various
SOC reports)
- IPR search and takedown of code and documents
- Performing remote spot compliance checks/investigation on
endpoint based on security alerts to identify the source and CK
framework mapping with actionable points to harden assets in
organisat ion
- O365 application alerts monitoring to alert the users
regarding suspicious activity attempts.
- Phishing Drills to test awareness of the end user.
- Evaluation of various security tools.