3 Types of Threat Intelligence

Threat Intelligence can empower us with knowledge about existing or potential threats. The information can be straightforward, such as a malicious domain name, or complex, such as an in-depth profile of a known adversary. Keep in mind that there is a maturity curve when it comes to intelligence represented by the three levels listed below. With each level, the context and analysis of CTI becomes deeper and more sophisticated, caters to different audiences, and can get more costly.

• Tactical intelligence
• Operational intelligence
• Strategic intelligence

Tactical Threat Intelligence

Tactical intelligence is focused on the immediate future, is technical in nature, and identifies simple indicators of compromise (IOCs). IOCs are things such as bad IP addresses, URLs, file hashes and known malicious domain names. It can be machine-readable, which means that security products can ingest it through feeds or API integration.

Tactical intelligence is the easiest type of intelligence to generate and is almost always automated. As a result, it can be found via open source and free feeds, but it usually has a very short lifespan because IOCs such as malicious IPs or domain names can become obsolete in days or even hours.

It’s important to note that simply subscribing to Intel feeds can result in plenty of data, but offers little means to digest and strategically analyze the threats relevant to you. Also, false positives can occur when the source is not timely or of high fidelity.

Operational Threat Intelligence

In the same way that poker players study each other’s quirks so they can predict their opponents’ next move, cybersecurity professionals study their adversaries.

Behind every attack is a “who,” “why,” and “how.” The “who” is called attribution. The “why” is called motivation or intent. The “how” is made up of the TTPs the adversary employs. Together, these factors provide context, and context provides insight into how adversaries plan, conduct, and sustain campaigns and major operations. This insight is operational intelligence.

type of malware or infrastructure.

Operational intelligence is most useful for those cybersecurity professionals who work in a SOC (security operations center) and are responsible for performing day-to-day operations. Cybersecurity disciplines such as vulnerability management, incident response and threat monitoring are the biggest consumers of operational intelligence as it helps make them more proficient and more effective at their assigned functions.

Strategic Threat Intelligence

Adversaries don’t operate in a vacuum — in fact, there are almost always higher level factors that surround the execution of cyber attacks. For example, nation-state attacks are typically linked to geopolitical conditions, and geopolitical conditions are linked to risk. Furthermore, with the adoption of financially motivated Big Game Hunting, cyber-crime groups are constantly evolving their techniques and should not be ignored.

Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that effectively protect their organizations and are aligned with its strategic priorities.

Strategic intelligence tends to be the hardest form of intelligence to generate. Strategic intelligence requires human collection and analysis that demands an intimate understanding of both cybersecurity and the nuances of the world’s geopolitical situation. Strategic intelligence usually comes in the form of reports. For more info: cyber threat intelligence

Other Types of Cyber Security Threats

Distributed Denial-of-Service (DDoS) attack?

Denial-of-service (DDoS) aims at shutting down a network or service, causing it to be inaccessible to its intended users. The attacks accomplish this mission by overwhelming the target with traffic or flooding it with information that triggers a crash. In both situations, the DoS onslaught denies legitimate users such as employees, account holders, and members of the resource or service they expected.

DDoS attacks are often targeted at web servers of high-profile organizations such as trade organizations and government, media companies, commerce, and banking. Although these attacks don’t result in the loss or theft of vital information or other assets, they can cost a victim lots of money and time to mitigate. DDoS is often used in combination to distract from other network attacks.

Password Attack

A password attack simply means an attempt to decrypt or obtain a user’s password with illegal intentions.

Crackers can use password sniffers, dictionary attacks, and cracking programs in password attacks. There are few defense mechanisms against password attacks, but usually, the remedy is inculcating a password policy that includes a minimum length, frequent changes, and unrecognizable words.

Password attacks are often carried out by recovering passwords stored or exported through a computer system. The password recovery is usually done by continuously guessing the password through a computer algorithm. The computer tries several combinations until it successfully discovers the password.

Eavesdropping Attack

Eavesdropping attacks start with the interception of network traffic.

An Eavesdropping breach, also known as snooping or sniffing, is a networksecurity attack where an individual tries to steal the information that smartphones, computers and other digital devices send or receive This hack capitalizes on unsecured network transmissions to access the data being transmitted. Eavesdropping is difficult to detect since it doesn’t cause abnormal data transmissions.

These attacks target weakened transmissions between the client and server that enables the attacker to receive network transmissions. An attacker can install network monitors such as sniffers on a server or computer to perform an eavesdropping attack and intercept data as it is being transmitted. Any device within the transmitting and receiving network is a vulnerability point, including the terminal and initial devices themselves. One way to protect against these attacks is knowing what devices are connected to a particular network and what software is run on these devices.

Birthday attack

The birthday attack is a statistical phenomenon that simplifies the brute-forcing of one-way hashes. It is based on the birthday paradox that states that for a 50 percent chance that someone shares your birthday in any room, you need 253 individuals in the room. However, for a chance higher than 50 percent, you only require 23 people. This probability works because these matches depend on pairs. If you choose yourself as one of the pairs, you only need 253 people to get the required number of 253 pairs. However, if you just need matches that don’t include you, you only need 23 people to create 253 pairs when cross-matching with each other. Thus, 253 is the number you need to acquire a 50 percent probability of a birthday match in a room.

Brute-Force and Dictionary Network Attacks

Dictionary and brute-force attacks are networking attacks whereby the attacker attempts to log into a user’s account by systematically checking and trying all possible passwords until finding the correct one.

The simplest method to attack is through the front door since you must have a way of logging in. If you have the required credentials, you can gain entry as a regular user without creating suspicious logs, needing an unpatched entry, or tripping IDS signatures. If you have a system’s credentials, your life is even simplified since attackers don’t have these luxuries.

The term brute-force means overpowering the system through repetition. When hacking passwords, brute force requires dictionary software that combines dictionary words with thousands of different variations. It is a slower and less glamorous process. These attacks start with simple letters such as “a” and then move to full words such as “snoop,” or “snoopy.”

Brute-force dictionary attacks can make 100 to 1000 attempts per minute. After several hours or days, brute-force attacks can eventually crack any password. Brute force attacks reiterate the importance of password best practices, especially on critical resources such as network switches,  routers and servers.

Insider Threats

Not every network attack is performed by someone outside an organization.

Inside attacks are malicious attacks performed on a computer system or network by an individual authorized to access the system. Insiders that carry out these attacks have the edge over external attackers since they have authorized system access. They may also understand the system policies and network architecture. Furthermore, there is less security against insider attacks since most organizations focus on defending against external attacks.

Insider threats can affect all elements of computer security and range from injecting Trojan viruses to stealing sensitive data from a network or system. The attackers may also affect the system availability by overloading the network or computer processing capacity or computer storage, resulting in system crashes.

Man-in-the-Middle (MITM) Attacks

Man-in-the-middle (MITM) attacks are a type of cybersecurity breach that allows an attacker to eavesdrop a communication between two entities. The attack occurs between two legitimate communicating parties, enabling the attacker to intercept communication they should otherwise not be able to access. Thus the name “man-in-the-middle.” The attacker “listens” to the conversation by intercepting the public key message transmission and retransmits the message while interchanging the requested key with his own.

The two parties seem to communicate as usual, without knowing the message sender is an unknown perpetrator trying to modify and access the message before it is transmitted to the receiver. Thus, the intruder controls the whole communication.

What Is Threat Intelligence?

Digital technologies lie at the heart of nearly every industry today. The automation and greater connectedness they afford have revolutionized the world’s economic and cultural institutions — but they’ve also brought risk in the form of cyberattacks. Threat intelligence is knowledge that allows you to prevent or mitigate those attacks. Rooted in data, threat intelligence provides context — like who is attacking you, what their motivation and capabilities are, and what indicators of compromise in your systems to look for — that helps you make informed decisions about your security.

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.” — Gartner

Why Is Threat Intelligence Important?

Today, the cyber security monitoring industry faces numerous challenges — increasingly persistent and devious threat actors, a daily flood of data full of extraneous information and false alarms across multiple, unconnected security systems, and a serious shortage of skilled professionals.

Some organizations try to incorporate threat data feeds into their network, but don’t know what to do with all that extra data, adding to the burden of analysts who may not have the tools to decide what to prioritize and what to ignore.

A cyber threat intelligence solution can address each of these issues. The best solutions use machine learning to automate data collection and processing, integrate with your existing solutions, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors.

Threat intelligence is actionable — it’s timely, provides context, and is able to be understood by the people in charge of making decisions.

Continuous Monitoring: a Core Principle of a Robust Cybersecurity Program

As SMEs increase their reliance on interconnected cloud-based products like Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS), they add new cybersecurity risks that can impact their bottom line. This is why continuous monitoring is a core principle of a robust cybersecurity compliance program.

Small and mid-sized businesses (SMBs) increasingly adopt new technologies to help streamline business operations and increase in revenue. As they increase their reliance on interconnected cloud-based products like Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS), they add new cybersecurity risks that can impact their bottom line. While a strong cybersecurity compliance program begins with a risk analysis, it ends with continuous monitoring of the data ecosystem.

What does continuous monitoring mean?

Conceptually, continuous monitoring is simple. A company reviews its environment to ensure its controls remain effective. In reality, continuous monitoring places a burden on SMBs who find themselves struggling to find and retain security professionals.

Why does continuous monitoring matter?

Companies need to monitor their data environments continuously for two reasons: cybercriminals and compliance. Read more at cyber security monitoring services.

Which are the biggest threats for 2020?

What data breaches or attacks or malware or other vulnerabilities will be the most damaging? Looking ahead of the evolving threats that your organization should watch out for in 2020 will help shape your constructive cyber security approach. We have listed some of the most disruptive cyber security risks of the year 2020 in the section below.

Internet of Things (IoT) Attacks

IoT has brought the entire world closer than ever before. Profoundly intellectual engineering has transformed the way business operates and given us an emerging entertainment and education world. It facilitated communication and made it vulnerable. The design of the Internet of Things is so complex that it is very tough to handle these apps in particular, and it will be difficult to apply security patches.

The net of IoT systems is made up of many unsecured devices and the hackers can reach corporate networks very quickly through these networks and cause malware attacks. There are various reports based on the IoT attacks which state that around 100 million attacks took place in 2019 and the next year can expect more attacks. Hackers exploit IoT vulnerabilities and target the devices.

There are millions of devices exist with vulnerabilities and if proper care is not taken then a large-scale attack can damage the whole system.

Insider Threats

There are a lot of cyber security issues that are caused by insider threats and one of them is employee errors. Cyber security tools, technologies, and services like PRetect are very effective to prevent or minimize threats due to insider attacks.

There are many instances where it is claimed that multiple workers from the top international companies sell customer data for illegal use to specific third parties. There are expected to be more threats in 2020 that will result from human errors. Issues of insider threats have increased to a very critical level and now there are some guidelines that each organization has mentioned to protect their data from cyber detection services.

Supply Chain Concerns

Hackers in the cyber world always persuade them to reach their goals with the most convenient methods which sometimes leads them to third party vendors. Attacks also predominate through the supply chain. There have been many well-known threats attributed to third-party vendors, the most prominent being the devastating Stuxnet intrusion discovered in 2010 and the 2013 aim data breach.

There are many possibilities in third party that can include accidental insiders, an external developer, malicious employees, a service contractor, a supplier or any other person who has access to the critical system. And many of these third parties have poor cyber security programs and processes which make them a rich target for cyber criminals and an avenue for even bigger prizes.