Kaspersky Threat Intelligence Threat Intelligence Sources

KasperskyThreat rn more on kaspersky.com#bringonthefuture

IntroductionWith the expanding attack surface and the growing sophisticationof threats, just reacting to an incident is not enough. Increasinglycomplex environments provide multiple opportunities for attackers.Each industry and each organization has its own unique datato protect, and uses its own set of applications, technologies, etc.All this introduces an enormous number of variables into possiblemethods of executing an attack, with new methods emerging daily.Over the last couple of years, we have observed the blurringof boundaries between different types of threat and differenttypes of threat actors. Methods and tools that were previouslya threat to a limited number of organizations have spread to thebroader market. One example of this is the dumping of code by theShadow Brokers group, which put advanced exploits at the disposalof criminal groups that would not otherwise have had access to thatkind of sophisticated code. Another example is the emergenceof advanced persistent threat (APT) campaigns focused noton cyberespionage, but on theft — stealing money to finance otheractivities that the APT group is involved in. And the list goes on.A new approach is neededMethods and tools that werepreviously a threat to a limitednumber of organizations havespread to the broader market.With enterprises increasingly falling victim to advanced andtargeted attacks, it’s clear that a successful defense requires newmethods. To protect themselves, businesses need to take a proactiveapproach, constantly adapting their security controls to theever‑changing threat environment. The only way to keep up withthese changes is to build an effective threat intelligence program.Threat intelligence has already become a key component of securityoperations established by companies of varying sizes acrossall industries and geographies. Provided in human-readable andmachine-readable formats, threat intelligence can support securityteams with meaningful information throughout the incidentmanagement cycle and inform strategic decision-making (Figure 1).However, the growing demand for external threat intelligence hasgiven rise to an abundance of threat intelligence vendors, eachoffering a host of different services. An extensive and competitivemarket with innumerable, complex options can make choosing theright solution for your organization highly confusing and extremelyfrustrating.

Operations& maintenance,managementLessonslearnedMonitoring& nt reportsFigure 1Threat Intelligence-driven Security OperationsStatistics,detectsIncident ResponseContextTrends, threat landscape, etc.Incident statisticsand KPIsReportingThreat intelligence that isn’t tailored to the specifics of yourbusiness can exacerbate the situation. In many companies today,security analysts spend more than half their time sorting out falsepositives instead of proactive threat hunting and response, leadingto a significant increase in detection times. Feeding your securityoperations with irrelevant or inaccurate intelligence will drive thenumber of false alerts even higher and have a serious, negativeimpact on your response capabilities — and the overall securityof your company.Where the best intelligence lives So how do you evaluate the numerous threat intelligence sources,identify the ones that are most relevant to your organization, andeffectively operationalize them? How do you navigate through theenormous amounts of meaningless marketing with almost everyvendor claiming that its intelligence is the best?

These questions, although valid, are definitely not the first onesthat you should be asking. Attracted by flashy messages and loftypromises, many organizations believe that an external vendor canprovide them with some kind of superpower x-ray vision, completelyoverlooking the fact that the most valuable intelligence resideswithin the perimeter of their own corporate networks Data from intrusion detection and prevention systems, firewalls,application logs and logs from other security controls can reveal a lotabout what’s going on inside a company’s network. It can identifypatterns of malicious activity specific to the organization. It candifferentiate between a normal user and network behavior and helpto maintain a trail of data-access activity.Internal dataExternal intelligenceHybrid CloudNGFWIoTIPS / IDSSIEMOSINTCommercial providersIndustry-led communitiesAppsCERTsPrivate communitiesIncidentResponseFigure 2Operationalizing External Threat IntelligenceThink like an attackerTo build an effective threat intelligence program, companies,including those with established Security Operations Centers,must think like an attacker, identifying and protecting the mostlikely targets. Deriving real value from a threat intelligence programrequires a very clear understanding of what the key assets are, andwhat data sets and business processes are critical to accomplishingthe organization’s objectives. Identifying these ‘crown jewels’allows companies to establish data collection points around themto further map the collected data with externally available threatinformation. Considering the limited resources that informationsecurity departments usually have, profiling an entire organizationis a massive undertaking. The solution is to take a risk-basedapproach, focusing on the most susceptible targets first.Once internal threat intelligence sources are defined andoperationalized, the company can start thinking about addingexternal information into its existing workflows.

It’s a question of trustExternal threat intelligence sourcesvary in trust levels:Open sources are availablefor free, but they often lackcontext and return a significantnumber of false positivesCommercial threat intelligencesources are much more reliable,although buying accessto them can be expensiveA good option to start withis accessing , such as theFinancial Services InformationSharing and Analysis Center(FS-ISAC). These communitiesprovide extremely valuableinformation, although they areoften gated and membershipis required to gain accessThe guiding principle for choosing external threat intelligencesources should be quality over quantity. Some organizationsmay think that the more threat intelligence sources they canintegrate, the better visibility they will get. This may be true in someinstances — for example, when it comes to highly trusted sources,including commercial ones, providing threat intelligence tailoredto the organization’s specific threat profile. Otherwise, thereis a significant risk of overwhelming your security operations withirrelevant information.The overlap in information supplied by specialized threat intelligencevendors can be very small. Because their intelligence sources andcollection methods vary, the insights they provide will be uniquein some aspects. For example, one vendor, due to being a majorpresence in a specific region, provides more details about threatsemanating from that region, while another provides more details onspecific types of threat. So gaining access to both sources may bebeneficial — when used together, they may help to reveal a biggerpicture and guide more effective threat hunting and incidentresponse missions. Bear in mind, though, that these kinds of trustedsources also require careful prior evaluation to ensure that thesupplied intelligence is appropriate for your organization’s specificneeds and use cases, like security operations, incident response, riskmanagement, vulnerability management, red teaming, etc.

Issues to consider when evaluatingcommercial threat intelligenceofferingsThere are still no common criteria for evaluatingvarious commercial threat intelligence offerings,but here are some things to bear in mind whendoing so:It’s assumed that yourcompany already hassome security controlsin place, with the associatedprocesses defined, and thatit’s important for you to usethreat intelligence with thetools you already use and know.So look for delivery methods,integration mechanismsand formats that supportsmooth integration of threatintelligence into your existingsecurity operationsLook for intelligence withglobal reach. Attacks haveno borders — an attacktargeting a company in LatinAmerica can be initiated fromEurope and vice versa. Doesthe vendor source informationglobally and collate seemingdisjoined activities intocohesive campaigns? This kindof intelligence will help youto take appropriate actionContext makes intelligencefrom data. Threat indicatorswithout context are ofno value — you should lookfor providers that help youto answer the important‘why does this matter?’questions. Relationship context(e.g. domains associated withthe detected IP addressesor URLs where the specificfile was downloaded frometc.) provides additional value,boosting incident investigationand supporting better incident‘scoping’ through uncoveringnewly acquired relatedIndicators of Compromisein the networkIf you are looking for morestrategic content to informyour long-term securityplanning, like: High-level view of attack trends Techniques and methods usedby attackers Motivations Attributions etc.,then look for a threatintelligence provider witha proven track record ofcontinuously uncovering andinvestigating complex threatsin your region or industry. Theability of the provider to tailorits research capabilities to thespecifics of your companyis also critical

ConclusionAt Kaspersky we’ve been focusing on threatresearch for over two decades. With petabytesof rich threat data to mine, advancedmachine‑learning technologies and a unique poolof global experts, we work to support you withthe latest threat intelligence from around theworld, helping to keep you immune from evenpreviously unseen cyberattacks.Learn morewww.kaspersky.com 2022 AO Kaspersky Lab.Registered trademarks and service marksare the property of their respective owners.

these changes is to build an effective threat intelligence program. Threat intelligence has already become a key component of security operations established by companies of varying sizes across all industries and geographies. Provided in human‑readable and machine‑readable formats, threat intelligence can support security