Evaluating threat intelligence sources

[harlan4096]

With the expanding attack surface and a growing sophistication of threats, just reacting to an incident is not enough. Increasingly complex environments provide multiple opportunities for attackers. Each industry and each organization has its own unique data to protect, and uses its own set of applications, technologies, and so forth. All of that introduces an enormous number of variables into possible methods of executing an attack, with new methods emerging daily.

Over the past few years, we have observed a blurring of boundaries between types of threat and types of threat actor. Methods and tools that were previously a threat to a limited number of organizations have spread to the broader market. One example of this is the dumping of code by the Shadow Brokers group, which put advanced exploits at the disposal of criminal groups that would not otherwise have had access to that kind of sophisticated code. Another example is the emergence of advanced persistent threat (APT) campaigns focused not on cyberespionage, but on theft — stealing money to finance other activities that the APT group is involved in. And the list goes on.

A new approach is needed

With enterprises increasingly falling victim to advanced and targeted attacks, it’s clear that a successful defense requires new methods. To protect themselves, businesses need to take a proactive approach, constantly adapting their security controls to the ever-changing threat environment. The only way to keep up with these changes is to build an effective threat intelligence program.

Threat intelligence has already become a key component of security operations established by companies of varying sizes across all industries and geographies. Provided in human-readable and machine-readable formats, threat intelligence can support security teams with meaningful information throughout the incident management cycle and inform strategic decision-making.

However, the growing demand for external threat intelligence has given rise to an abundance of threat intelligence vendors, each offering a host of different services. An extensive and competitive market with innumerable, complex options can make choosing the right solution for your organization highly confusing and extremely frustrating.

Threat intelligence that isn’t tailored to the specifics of your business can exacerbate the problem. In many companies today, security analysts spend more than half their time sorting out false positives instead of on proactive threat hunting and response, leading to a significant increase in detection times. Feeding irrelevant or inaccurate intelligence to your security operations will drive the number of false alerts even higher and have a serious, negative impact on your response capabilities — and the overall security of your company.

Where the best intelligence lives…

So, how do you evaluate the numerous threat intelligence sources, identify the ones that are most relevant to your organization, and effectively operationalize them? How do you navigate the enormous amounts of meaningless marketing with almost every vendor claiming that its intelligence is the best?

These questions, although valid, are definitely not the first ones that you should be asking. Attracted by flashy messages and lofty promises, many organizations believe that an external vendor can provide them with some kind of superpower X-ray vision, completely overlooking the fact that the most valuable intelligence resides within the perimeter of your own corporate network.

Continue Reading

[Deep900]

With the time malware threats worldwide become always more advanced and more smart and so harder to detect and defeat. On the other side we have also very good security methods that need to be updated constantly to be ready to fight against new malicious threats but at the same time not detecting too false positives.