3 Types of Threat Intelligence

Threat Intelligence can empower us with knowledge about existing or potential threats. The information can be straightforward, such as a malicious domain name, or complex, such as an in-depth profile of a known adversary. Keep in mind that there is a maturity curve when it comes to intelligence represented by the three levels listed below. With each level, the context and analysis of CTI becomes deeper and more sophisticated, caters to different audiences, and can get more costly.

• Tactical intelligence
• Operational intelligence
• Strategic intelligence

Tactical Threat Intelligence

Tactical intelligence is focused on the immediate future, is technical in nature, and identifies simple indicators of compromise (IOCs). IOCs are things such as bad IP addresses, URLs, file hashes and known malicious domain names. It can be machine-readable, which means that security products can ingest it through feeds or API integration.

Tactical intelligence is the easiest type of intelligence to generate and is almost always automated. As a result, it can be found via open source and free feeds, but it usually has a very short lifespan because IOCs such as malicious IPs or domain names can become obsolete in days or even hours.

It’s important to note that simply subscribing to Intel feeds can result in plenty of data, but offers little means to digest and strategically analyze the threats relevant to you. Also, false positives can occur when the source is not timely or of high fidelity.

Operational Threat Intelligence

In the same way that poker players study each other’s quirks so they can predict their opponents’ next move, cybersecurity professionals study their adversaries.

Behind every attack is a “who,” “why,” and “how.” The “who” is called attribution. The “why” is called motivation or intent. The “how” is made up of the TTPs the adversary employs. Together, these factors provide context, and context provides insight into how adversaries plan, conduct, and sustain campaigns and major operations. This insight is operational intelligence.

type of malware or infrastructure.

Operational intelligence is most useful for those cybersecurity professionals who work in a SOC (security operations center) and are responsible for performing day-to-day operations. Cybersecurity disciplines such as vulnerability management, incident response and threat monitoring are the biggest consumers of operational intelligence as it helps make them more proficient and more effective at their assigned functions.

Strategic Threat Intelligence

Adversaries don’t operate in a vacuum — in fact, there are almost always higher level factors that surround the execution of cyber attacks. For example, nation-state attacks are typically linked to geopolitical conditions, and geopolitical conditions are linked to risk. Furthermore, with the adoption of financially motivated Big Game Hunting, cyber-crime groups are constantly evolving their techniques and should not be ignored.

Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that effectively protect their organizations and are aligned with its strategic priorities.

Strategic intelligence tends to be the hardest form of intelligence to generate. Strategic intelligence requires human collection and analysis that demands an intimate understanding of both cybersecurity and the nuances of the world’s geopolitical situation. Strategic intelligence usually comes in the form of reports. For more info: cyber threat intelligence

Other Types of Cyber Security Threats

Distributed Denial-of-Service (DDoS) attack?

Denial-of-service (DDoS) aims at shutting down a network or service, causing it to be inaccessible to its intended users. The attacks accomplish this mission by overwhelming the target with traffic or flooding it with information that triggers a crash. In both situations, the DoS onslaught denies legitimate users such as employees, account holders, and members of the resource or service they expected.

DDoS attacks are often targeted at web servers of high-profile organizations such as trade organizations and government, media companies, commerce, and banking. Although these attacks don’t result in the loss or theft of vital information or other assets, they can cost a victim lots of money and time to mitigate. DDoS is often used in combination to distract from other network attacks.

Password Attack

A password attack simply means an attempt to decrypt or obtain a user’s password with illegal intentions.

Crackers can use password sniffers, dictionary attacks, and cracking programs in password attacks. There are few defense mechanisms against password attacks, but usually, the remedy is inculcating a password policy that includes a minimum length, frequent changes, and unrecognizable words.

Password attacks are often carried out by recovering passwords stored or exported through a computer system. The password recovery is usually done by continuously guessing the password through a computer algorithm. The computer tries several combinations until it successfully discovers the password.

Eavesdropping Attack

Eavesdropping attacks start with the interception of network traffic.

An Eavesdropping breach, also known as snooping or sniffing, is a networksecurity attack where an individual tries to steal the information that smartphones, computers and other digital devices send or receive This hack capitalizes on unsecured network transmissions to access the data being transmitted. Eavesdropping is difficult to detect since it doesn’t cause abnormal data transmissions.

These attacks target weakened transmissions between the client and server that enables the attacker to receive network transmissions. An attacker can install network monitors such as sniffers on a server or computer to perform an eavesdropping attack and intercept data as it is being transmitted. Any device within the transmitting and receiving network is a vulnerability point, including the terminal and initial devices themselves. One way to protect against these attacks is knowing what devices are connected to a particular network and what software is run on these devices.

Birthday attack

The birthday attack is a statistical phenomenon that simplifies the brute-forcing of one-way hashes. It is based on the birthday paradox that states that for a 50 percent chance that someone shares your birthday in any room, you need 253 individuals in the room. However, for a chance higher than 50 percent, you only require 23 people. This probability works because these matches depend on pairs. If you choose yourself as one of the pairs, you only need 253 people to get the required number of 253 pairs. However, if you just need matches that don’t include you, you only need 23 people to create 253 pairs when cross-matching with each other. Thus, 253 is the number you need to acquire a 50 percent probability of a birthday match in a room.

Brute-Force and Dictionary Network Attacks

Dictionary and brute-force attacks are networking attacks whereby the attacker attempts to log into a user’s account by systematically checking and trying all possible passwords until finding the correct one.

The simplest method to attack is through the front door since you must have a way of logging in. If you have the required credentials, you can gain entry as a regular user without creating suspicious logs, needing an unpatched entry, or tripping IDS signatures. If you have a system’s credentials, your life is even simplified since attackers don’t have these luxuries.

The term brute-force means overpowering the system through repetition. When hacking passwords, brute force requires dictionary software that combines dictionary words with thousands of different variations. It is a slower and less glamorous process. These attacks start with simple letters such as “a” and then move to full words such as “snoop,” or “snoopy.”

Brute-force dictionary attacks can make 100 to 1000 attempts per minute. After several hours or days, brute-force attacks can eventually crack any password. Brute force attacks reiterate the importance of password best practices, especially on critical resources such as network switches,  routers and servers.

Insider Threats

Not every network attack is performed by someone outside an organization.

Inside attacks are malicious attacks performed on a computer system or network by an individual authorized to access the system. Insiders that carry out these attacks have the edge over external attackers since they have authorized system access. They may also understand the system policies and network architecture. Furthermore, there is less security against insider attacks since most organizations focus on defending against external attacks.

Insider threats can affect all elements of computer security and range from injecting Trojan viruses to stealing sensitive data from a network or system. The attackers may also affect the system availability by overloading the network or computer processing capacity or computer storage, resulting in system crashes.

Man-in-the-Middle (MITM) Attacks

Man-in-the-middle (MITM) attacks are a type of cybersecurity breach that allows an attacker to eavesdrop a communication between two entities. The attack occurs between two legitimate communicating parties, enabling the attacker to intercept communication they should otherwise not be able to access. Thus the name “man-in-the-middle.” The attacker “listens” to the conversation by intercepting the public key message transmission and retransmits the message while interchanging the requested key with his own.

The two parties seem to communicate as usual, without knowing the message sender is an unknown perpetrator trying to modify and access the message before it is transmitted to the receiver. Thus, the intruder controls the whole communication.

What Is Threat Intelligence?

Digital technologies lie at the heart of nearly every industry today. The automation and greater connectedness they afford have revolutionized the world’s economic and cultural institutions — but they’ve also brought risk in the form of cyberattacks. Threat intelligence is knowledge that allows you to prevent or mitigate those attacks. Rooted in data, threat intelligence provides context — like who is attacking you, what their motivation and capabilities are, and what indicators of compromise in your systems to look for — that helps you make informed decisions about your security.

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.” — Gartner

Why Is Threat Intelligence Important?

Today, the cyber security monitoring industry faces numerous challenges — increasingly persistent and devious threat actors, a daily flood of data full of extraneous information and false alarms across multiple, unconnected security systems, and a serious shortage of skilled professionals.

Some organizations try to incorporate threat data feeds into their network, but don’t know what to do with all that extra data, adding to the burden of analysts who may not have the tools to decide what to prioritize and what to ignore.

A cyber threat intelligence solution can address each of these issues. The best solutions use machine learning to automate data collection and processing, integrate with your existing solutions, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors.

Threat intelligence is actionable — it’s timely, provides context, and is able to be understood by the people in charge of making decisions.

Continuous Monitoring: a Core Principle of a Robust Cybersecurity Program

As SMEs increase their reliance on interconnected cloud-based products like Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS), they add new cybersecurity risks that can impact their bottom line. This is why continuous monitoring is a core principle of a robust cybersecurity compliance program.

Small and mid-sized businesses (SMBs) increasingly adopt new technologies to help streamline business operations and increase in revenue. As they increase their reliance on interconnected cloud-based products like Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS), they add new cybersecurity risks that can impact their bottom line. While a strong cybersecurity compliance program begins with a risk analysis, it ends with continuous monitoring of the data ecosystem.

What does continuous monitoring mean?

Conceptually, continuous monitoring is simple. A company reviews its environment to ensure its controls remain effective. In reality, continuous monitoring places a burden on SMBs who find themselves struggling to find and retain security professionals.

Why does continuous monitoring matter?

Companies need to monitor their data environments continuously for two reasons: cybercriminals and compliance. Read more at cyber security monitoring services.

Which are the biggest threats for 2020?

What data breaches or attacks or malware or other vulnerabilities will be the most damaging? Looking ahead of the evolving threats that your organization should watch out for in 2020 will help shape your constructive cyber security approach. We have listed some of the most disruptive cyber security risks of the year 2020 in the section below.

Internet of Things (IoT) Attacks

IoT has brought the entire world closer than ever before. Profoundly intellectual engineering has transformed the way business operates and given us an emerging entertainment and education world. It facilitated communication and made it vulnerable. The design of the Internet of Things is so complex that it is very tough to handle these apps in particular, and it will be difficult to apply security patches.

The net of IoT systems is made up of many unsecured devices and the hackers can reach corporate networks very quickly through these networks and cause malware attacks. There are various reports based on the IoT attacks which state that around 100 million attacks took place in 2019 and the next year can expect more attacks. Hackers exploit IoT vulnerabilities and target the devices.

There are millions of devices exist with vulnerabilities and if proper care is not taken then a large-scale attack can damage the whole system.

Insider Threats

There are a lot of cyber security issues that are caused by insider threats and one of them is employee errors. Cyber security tools, technologies, and services like PRetect are very effective to prevent or minimize threats due to insider attacks.

There are many instances where it is claimed that multiple workers from the top international companies sell customer data for illegal use to specific third parties. There are expected to be more threats in 2020 that will result from human errors. Issues of insider threats have increased to a very critical level and now there are some guidelines that each organization has mentioned to protect their data from cyber detection services.

Supply Chain Concerns

Hackers in the cyber world always persuade them to reach their goals with the most convenient methods which sometimes leads them to third party vendors. Attacks also predominate through the supply chain. There have been many well-known threats attributed to third-party vendors, the most prominent being the devastating Stuxnet intrusion discovered in 2010 and the 2013 aim data breach.

There are many possibilities in third party that can include accidental insiders, an external developer, malicious employees, a service contractor, a supplier or any other person who has access to the critical system. And many of these third parties have poor cyber security programs and processes which make them a rich target for cyber criminals and an avenue for even bigger prizes.

5 Reasons Why You Need 24×7 Cyber Security Monitoring

Hundreds and even thousands of security events can flood your network every hour of every day. Your team may have a significant challenge of sifting through these events to identify the threats that could pose a risk of compromise.

Continuous or 24×7 cybersecurity monitoring through an experienced security services provider can drastically improve your threat alerts and help you spend more time on your security strategies. Here are five solid reasons you should consider 24×7 cybersecurity monitoring in the year ahead.  

The Cybersecurity Landscape Has Changed Drastically

Organizations face a troubling threat landscape like never before. Global cybercrime is predicted to reach more than $2.1 trillion in 2019. You hear about new massive data breaches almost monthly. The top enterprise organizations are having a tough time keeping up with the influx of threats hitting their security teams every day.  

Small and mid-size businesses are not exempt either. In fact, SMBs are the next target for cybercriminals as enterprise organizations direct more investment into cybersecurity defenses. Both enterprise and SMBs are facing an onslaught of challenges not to mention a lack of internal resources and a market for skilled cybersecurity professionals to manage everything.

Having a security partner that can monitor your environment on a 24x7x365 basis is where the market is headed. Gartner predicts that security outsourcing will be a major cybersecurity investment category in the years ahead.

Stringent Compliance & Regulatory Requirements

This year, security leaders are focused on addressing new compliance and regulatory requirements that could cost them millions in fines and penalties for non-compliance. The General Data Protection Regulation (GDPR) is among the first and most pressing new global regulation efforts to affect multinational organizations and businesses processing EU subject data. Not to mention, the United States is currently working on a new bill called the Data Security and Breach Notification Act. A first-ever Federal regulation that will penalize companies that are hacked.

Nearly every country is now taking consumer data privacy and protection more seriously by introducing new legislation to hold organizations accountable. It becomes critically important that your company takes measures to reduce data compromise and put in the security controls to safeguard consumer data. That’s why continuous network and security monitoring from an experienced provider is the preferred choice for many organizations.

Minimize Data Breaches

A team of experts that review security events and logs on a 24×7 basis can help you improve your Mean-Time-to-Detect (MTTD). The average MTTD, according to the 2017 Ponemon Cost of Data Breach Study, for a survey of 491 companies was 191 days with a range of 24 to 546 days. Imagine a hacker within your environment in that time frame. How much damage do you think one hacker or many could do during that time? Once a threat actor enters your environment, they can wreak havoc on systems and endpoints and eventually steal your data or hold your data at ransom.

In the same Ponemon report, hackers and criminal insiders were the cause of most data breaches. Companies in the U.S. and Canada also spends the highest amount per record at $224 and $201 per record on resolving a data breach. In the recent Equifax data breach with over 140 million records exposed, the company most likely saw a cost of more than $32 billion to resolve the issue. Not only did the company experience a financial loss because of the breach but also a negative brand and shareholder reputation.

Improve Your Mean-Time-To-Respond

The core metric for many security teams to measure their effectiveness is in Mean-Time-Detect and Mean-Time-To-Respond. Once your security team identifies or detects a threat and creates an alert, it then becomes a matter of how much time is spent on containing and remediating the threat. The MTTR in the Ponemon Cost of Data Breaches report found that the average for organizations was 66 days with a range of 10 to 164 days.

Some organizations have millions of dollars invested in firewalls, antivirus, endpoint security, and more but these technologies can generate thousands of alerts per day. This can cause your IT or security team to suffer alert fatigue. With 24×7 cybersecurity monitoring, your organization can greatly improve your MTTD and MTTR with the right alerts. A team of security analysts at a managed security services provider can leverage Artificial Intelligence (AI), automation, and orchestration to improve alerts and identify the events that matter.

Knowing Who Your Adversaries Are With Threat Intelligence

Data breaches that go on for months are a result of poor detection and response capabilities. Cyber-attacks and breaches can happen to anyone which brings the need for around-the-clock awareness of your security environment. If you know exactly what’s happening and can sift through the noise of all your devices, you can start to make sense of what’s really happening.

Continuous monitoring paired with threat intelligence feeds can take your security detection and response capabilities to the next level. Threat intelligence in conjunction with 24×7 monitoring enables you to know exactly who your threat actors are, how they operate, and how likely they are to hack your organization.

Identifying threats as soon as possible is key in today’s threat landscape. As we saw above, threats often go undetected and can result in serious fines or a damaged brand and shareholder reputation. A 24×7 cybersecurity monitoring service helps you overcome significant challenges in your network security. A highly certified security provider can become an extension of your team and help you offload the tedious task of filtering through hundreds and even thousands of alerts.

Cybersecurity: Do These Ten Things to Keep Your Networks Secure from Hackers

The ten good practices for making the health sector more resilient to cyberattacks.

1.       Involve the IT department in procurement

It sounds simple, but involving the IT department in procurement from the very start ensures that cybersecurity is considered on every step of the technology procurement journey, as recommendations, can be made as to how new technology fits in with the existing network and what additional security measures might be needed.

2.       Implement a vulnerability identification and management process

It's an imperfect world and there are products out there which contain vulnerabilities, known or as of yet undiscovered. Having a strategy in place to manage vulnerabilities throughout the entire lifecycle of a device can help the security team keep control of potential security worries.

3.       Develop a policy for hardware and software updates

Security researchers often uncover new vulnerabilities in devices and operating systems. However, medical networks have historically been poor at ensuring patches are applied – and this was one of the reasons WannaCry ransomware impacted the NHS so badly. The paper recommends IT departments determine the most suitable timing to apply the patches in every segment of the network, as well as determine workarounds for machines that can't be patched, such as cybersecurity threat intelligence.

4.       Enhance security controls for wireless communication

Access to hospital networks should be limited with tight controls, meaning that the number of devices connected should be monitored and known, so as to identify any unexpected or unwanted devices attempting to gain access. The paper recommends that non-authorised personnel shouldn't have access to the Wi-Fi and that network passwords should be strong.

5.       Establish testing policies

Hospitals acquiring new computing products should establish a minimum set of security tests to be performed on new devices added to the networks – including penetration testing once it's added to the network, to take into account how hackers could attempt to abuse it.

6.       Establish business continuity plans

Business continuity plans should be established whenever the failure of a system may disrupt the hospital's core services – which in this instance is patient care – and the role of the supplier in such cases must be well-defined.

7.       Take into account interoperability issues

The ability of machines to transfer information and data is key to hospitals being able to operate properly – but this could be compromised in the event of a cyberattack or downtime. The hospital should have backup plans should this operation be compromised.

8.       Enable testing of all components

Systems should be regularly tested to ensure they're offering good security, combining ease of use while also being secure – for example, the IT department should ensure that users haven't changed complex passwords to more simple ones. All of this should be examined during testing.

9.       Allow auditing and logging

Keeping logs about testing and activity on the network ensures that, in the event of a compromise, it's easier to trace what happened and how attackers got access to the system, as well as evaluating what information has been compromised. "Keeping the logs secure is one of the most important tasks of security," says the paper.

10.   Encrypt sensitive personal data at rest and in transit

To ensure compliance with with the General Data Protection Regulation, and to ensure the safety of both patients and staff, sensitive information should be encrypted, so that if outsiders do get access to the systems, it's likely to be useless to them.