10 Myths About Cyber Threat Intelligence · 2017-08-25 · 6 10 Myths About Cyber Threat Intelligence: Separating act from iction 2015 Cyveillance MYTH #3: It’s impossible to develop

10 Myths About Cyber Threat IntelligenceSeparating Fact from Fiction

A CYVEILLANCE WHITE PAPER | MARCH 2015

2

10 Myths About Cyber Threat Intelligence: Separating Fact from Fiction© 2015 Cyveillance

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Myth 1: Threat intelligence is just another term for data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Myth 2: Only big companies have a need for threat intelligence . . . . . . . . . . . . . . . . . . . . . . .5

Myth 3: It’s impossible to develop a business case and show ROI for threat intelligence . . . .6

Myth 4: The volume of sources and data outside our perimeter is too overwhelming to be useful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Myth 5: Threat intelligence is only useful for the information security department . . . . . . . 10

Myth 6: I deal with guns and guards, so I don’t need cyber threat intelligence . . . . . . . . . . 11

Myth 7: Our network is already protected by firewalls, IDS, and anti-virus solutions . . . . . . 12

Myth 8: Threat intelligence is only useful before a breach or a security event . . . . . . . . . . . 13

Myth 9: We already have an in-house cyber security team, so we don’t need threat intelligence from a third-party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Myth 10: We can’t afford to hire more analysts to process, review, and act upon threat intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table of Contents

10 Myths About Cyber Threat Intelligence: Separating Fact from Fiction | © 2015 Cyveillance 3

Executive Summary

In today’s security landscape, more vendors than ever are offering what is purported

to be “threat intelligence.” Unfortunately, this term often suffers from the same sort of

ill-defined overuse as terms like “big data” or “cloud security.” Everyone talks about

these things, most are fairly sure they need them, but very few people can tell you

what they actually are or how they can be practically applied in business terms.

One thing most security experts can agree on, though, is that an intelligence-led

approach to security – that is, putting threat intelligence to real-world use – is critical

to protecting organizations from risks. If the goal of an intelligence-led security

strategy is to help organizations be more proactive in finding and preparing for

threats to physical and digital assets, it’s crucial to define and understand exactly

what threat intelligence means, and separate fact from fiction.

In this whitepaper, we dispel some common myths about threat intelligence.

4


MYTH #1: Threat intelligence is just another term for data.

FACT: While data feeds are an important component of threat intelligence, we would argue that they are fundamentally different. A leading industry analyst firm recently defined threat intelligence as “evidence-based knowledge, includ-ing context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”1

Put in plainer terms, threat intelligence has three characteristics that raw data lacks: relevance, actionability, and value. To be relevant, the information must relate to your organization, industry, networks, or objectives. To be actionable, it must be specific enough to prompt or forego some response, change, action, or decision. Finally, to be valuable, it must contribute to a useful business outcome.2

Many organizations feel overwhelmed with data, and with good reason – an estimated 2.5 exabytes (that’s 1018) of data are generated each day.3 But data and threat intelligence are not the same. For example, without additional context, raw data generated by a machine will not help a security team understand the potential risk of an event, such as a spear phishing attack. Other facts surrounding the event – such as where the phishing email may have originated from geographically, any history of associated phishing or malware attacks with the associated domain name, or the profile of a threat actor associated with similar attacks – can help the security team understand the risk of the event. Because the surrounding information is needed for threat intelligence, services that claim to provide threat intelligence must also provide tools for adding context to the data.

Myth 1

1 https://www.gartner.com/doc/2487216/definition-threat-intelligence 2 https://blog.cyveillance.com/making-business-case-threat-intelligence/ 3 http://www.datanami.com/2014/10/27/big-data-becomes-much-data

5


MYTH #2: Only big companies have a need for threat intelligence.

FACT: News stories about large organizations being breached have created

a common misconception that larger organizations are at higher risk of

attack and therefore need threat intelligence. In reality, an estimated 61

percent of all attacks in 2013 were targeted at businesses with fewer

than 250 employees.4 With so much attention focused on breaches

at large organizations, though, it’s no wonder that 27 percent of small

business owners do not believe that data breaches pose a risk to

them,5 despite the fact that threat actors continue to set their sights

on smaller, easier targets. As small businesses have limited budgets

and resources, it’s imperative to find the right intelligence and tools to

maximize their budgets.

To ensure that valuable budget is being spent wisely, security teams

should consider vendors that offer threat intelligence and tools specif-

ically tailored to meet the needs of their organizations. For example,

research shows that SMBs often fall victim to broad-based malware

attacks delivered via phishing emails, so a partner that provides phish-

ing threat intelligence, safety awareness training, and other services

would be more useful to a small organization than one that only pro-

vides data feeds related to bad IP addresses or Distributed Denial of

Service (DDoS) attacks.

5

Myth 2

Small to mid-

sized businesses

often try to stretch

security budgets

by borrowing

tools from other

groups, such as the

marketing team, for

threat monitoring.

However,

these tools are

not designed

with security

professionals

in mind and

therefore do not

meet their needs.

4 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf 5 http://www.advisenltd.com/10/14/2014/cyber-exposures-small-mid-size-businesses

6


MYTH #3: It’s impossible to develop a business case and show ROI for threat intelligence.

FACT: Determining the ROI for security initiatives is often challenging, but it’s not impossible. While it may be more use-

ful to frame investments against the costs of what could be lost if an executive were to be harmed or data breach

to occur, there are often instances where security professionals will be pressed to demonstrate ROI.

Before ROI can be calculated, you must determine whether threat intelligence is a necessary part of

your security program. These questions can help you determine if you need threat intelligence and if

so, how much:

1. WHY? Clearly define the business driver(s) to buy or build a threat intelligence capability using business terms.6

2. WHAT? Define a clear, bounded, set of responsibilities and mission activities for the personnel involved.

3. HOW? List the steps that will operationalize the intelligence activities and information to support business goals.7

Myth 3

6 https://www.brighttalk.com/webcast/9865/134509 7 http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

710 Myths About Cyber Threat Intelligence: Separating Fact from Fiction | © 2015 Cyveillance

8 http://www.Internetlivestats.com/twitter-statistics

4. HOW MUCH? Quantify the problem, the risk, or the value of the solution you

are proposing.

5. HOW ARE WE DOING? Determine the reporting procedures and measure-

ments for performance that will justify both initial and on-going expenditures.

Determining the ROI for threat intelligence will be challenging without going

through these steps first. However, after completing this exercise, finding the right

metrics and figures to track should be easier. Measuring the ROI for threat intel-

ligence should not be any more difficult than measuring ROI for other business

expenditures.

For example, if the average cost of a data breach is $3.5 million for a larger orga-

nization8, spending $50,000 to $200,000 a year for threat intelligence is a minimal

investment to prevent staggering losses. Smaller organizations can deploy solu-

tions which cost a fraction of this. This does not even take into account the value of

advance knowledge of physical threats to employees, which could be life-saving.

Evaluating Threat Intelligence Solutions

Fortune 500Many global companies have their own internal threat centers which can process data and intelligence from a wide variety of sources and vendors to be analyzed by their in-house team. Yet, even with these teams it can be difficult to find, compile, sort, and analyze the mas-sive amount of daily data received. A third-party vendor is often needed to provide expertise and analysis for company blind spots and overflow.

Large EnterpriseWith a nebulous perimeter and increasing BYOD envi-ronment, traditional firewall and IDS platforms provide incomplete security. In addition, large enterprises compete for scarce resource within departments, which leave gaps in both talent and knowledge. In this case, a third-party vendor with on-demand analysts offers easy scalability to close these gaps.

SMB and Non-ProfitWhile there are free and low cost sources of threat in-telligence available to those with limited budget, there is little help on the analysis of the available data. With limited budget and time, small companies find it difficult to make headway with threat intelligence programs. Many third party vendors now offer affordable month-ly subscriptions for threat intelligence portals, which consolidate threat intelligence, offer analytical tools, provide insight on global threat landscape, and can help meet their needs to manage risk and compliance.

These three steps can serve as a guide to building a business case:

Revisit the reasons whether and why

threat intelligence is a necessity

Frame the reasons in terms of business

objectives

Translate the activities and benefits of threat intelligence into tangible met-rics that support your organization’s

business objectives

8


MYTH #4: The volume of sources and data outside our perimeter is too overwhelming to be useful.

FACT: It is true that the sheer volume of online data can be daunting. But with the right consolidation, analytics,

and analysis, this data can be distilled into relevant, actionable, and valuable threat intelligence. From the

traditional web to social media to underground chat rooms, paste sites, and the blogosphere; it can be

enormously difficult to monitor all the sources that matter to your business. In addition to the proliferation

of sources, the amount of content being produced has exploded: as of early 2015, 500 million tweets per

day,9 864 million active Facebook users,10 and 100 hours of content are uploaded to YouTube every min-

ute.11 These are mind-boggling numbers. However, that does not mean that these huge volumes of data

can’t be managed. What is required to make that happen?

First, there must be a consolidated, automated means to search and collect across all these online sourc-

es. As the volume of sources, posts, pages, and languages expands endlessly, it cannot fall to human

analysts to manage data collection.

The second prerequisite is data analytics; the filters, risk scoring, and prioritization tools that focus scarce

analyst hours on the right material. Collection capability is self-defeating if all it does is add ever-more data

to an already unmanageable queue for the analyst.

Finally, there must be capable analysts with the right tools to efficiently prioritize and investigate items that

matter. Open-source intelligence can be collected, managed, and used effectively. However, it requires the

people, process, and technology to cost-effectively apply and benefit from the information that is out there.

8

Myth 4

9 http://expandedramblings.com/index.php/by-the-numbers-17-amazing-facebook-stats 10 https://www.youtube.com/yt/press/statistics.html 11 http://www.hhs.gov/news/press/2014pres/05/20140507b.html

910 Myths About Cyber Threat Intelligence: Separating Fact from Fiction | © 2015 Cyveillance

Web

Twitter

Facebook

Google+

Blogs

LinkedIn

Youtube

Boards

Pastebin

Instagram

50,000mentions per daytweets per day

500,000,000

active users

of content uploaded

*Data as of January 2015

every minute

for the average brand

864,000,000

6,000 minutes

9

Simple “mentions” or keyword matches for client brands, executives, locations, and other indicators commonly exceed

50,000 new items per day . Yet a typical analyst may be able to process hundreds or perhaps a few thousand items

at most . Without unlimited budgets for more analysts, and the availability of such talent in the market, throwing more

humans at the problem is not a realistic or sustainable option . When dealing with data at this scale, there must be

technology applied to identify and prioritize what is most likely to matter .

The Expanding Data Dilemma

10


MYTH #5: Threat intelligence is only useful for the information security department.

FACT: In the past, cyber threat intelligence has been seen as the domain of the information security team. While

it may have been true in the era of defined perimeters and workspaces, the new era of dynamic perim-

eters, BYOD, and SaaS tools has blurred lines of responsibility. Increasingly, cyber and physical security

have converged as threat actors use chat, blogs, and social media to organize events, coordinate sched-

ules, and plan combined physical and digital disruptions.

In addition to the physical and information security team, the governance, risk, and compliance depart-

ment can use threat intelligence to mitigate risks of non-compliance. Many times indications and warnings

of issues with FFIEC, FDA, or HIPAA compliance can be found on the open source Internet long before a

violation is formally discovered. For example, in the case of a New York hospital that suffered a breach, on-

going online monitoring may have found patients’ health information being sold or traded on the Internet.

This advance notice could have alerted the security and compliance teams of a problem, potentially sav-

ing the hospital from a $4.8 million fine.12 Likewise, social media can be monitored for impostor accounts,

mitigating the risk of fraud and ensuring compliance with FFIEC or other industry guidelines.13

Customer service and fraud departments are yet another team that can benefit from threat intelligence, as

it can aid in identifying fraudulent or activist-related complaints and claims designed to disrupt business

operations or get products removed from shelves. Because multiple internal stakeholders can benefit from

threat intelligence, look for tools and services that can collect, isolate, and identify different types of threats

and risks. Reports and metrics demonstrating how threat intelligence benefits each team can be used to

procure or share budget, engage multiple stakeholders, and maximize the value of these tools or services

across the organization.

10

Myth 5

12 https://blog.cyveillance.com/federal-financial-institutions-examination-council-ffiec-issues-social-media-guidelines 13 https://ca.news.yahoo.com/blogs/right-click/news-earthquake-travels-faster-twitter-shock-waves-travel-164736000.html

11


MYTH #6: I am a physical security professional. I deal with guns and guards, so I don’t need cyber threat intelligence.

FACT: Threat actors are increasingly using online communication sites and methods to plan attacks and events that can harm employees or physical assets, disrupt operations, or interrupt events and meetings.

For example, threat actors often use social media to rally supporters for their causes or to enlist participants in disruptive events. These can range from political demonstrations and protests to flash mobs and sit-ins. Any organization with animal-rights, environmental, or politically sensitive issues should expect that opposition groups can and will use the Internet for organizing and managing their activities. A physical security team can use threat intelligence to be alerted to potential protest activity targeting a company facility, shareholder meeting, or other event. The physical security team can then take preventative measures to most effectively deploy resources at the event or set up countermeasures like physical barriers to increase the space between a facility and a protest.

Threat intelligence can also help physical security professionals stay abreast of global disruptions of other types,

from political unrest to natural disasters, that can impact operations, facilities, or company assets and personnel.

The Internet is now often the fastest source for this type of data. For example, during the 2011 earthquake near Washing-

ton DC, Twitter warnings of the event actually travelled faster than the seismic shockwave from the quake itself. 14 Failure

to have real-time “eyes and ears” on the public Internet can leave physical security teams open to being blindsided.

11

Myth 6

14 http://www.pcworld.com/article/2690359/survey-byod-security-remains-spotty-with-users-unaware-or-unmotivated-about-risks.html

12


MYTH #7: Our network is already protected by firewalls, IDS, and anti-virus solutions. We don’t need external threat intelligence.

FACT: While firewalls and intrusion detection systems are still critical to addressing network threats, they can only

help prevent attacks once they reach the perimeter. From zero-day exploits to social engineering or even

physical attacks on employees, there are risks that traditional perimeter defenses simply can’t address.

Intelligence from beyond your own environment, whether in the form of technical markers like indica-

tors-of-compromise (“IOCs”) or reports on the latest hacker techniques, can be useful to understanding,

spotting, and mitigating threats before they reach your network perimeter.

There is another trend that renders traditional network defenses increasingly insufficient. For today’s

interconnected businesses, the corporate network perimeter is no longer the clear delineator between

their business and the outside world. The traditional perimeter is now spread across multiple devices and

locations,15 and in the cloud, where firms deploy critical services and store sensitive data. This change has

made traditional firewall and intrusion detection platforms incomplete solutions. For example, they can’t

necessarily help your teams prepare for – and protect against – new types of threats, such as malicious

code designed to cross into the corporate environment through employee-owned devices.

Criminals are capitalizing on the small screens of mobile devices and the distracted people using them to

develop new kinds of attacks, such as SMS phishing campaigns. One of the most sophisticated advanced

persistent attacks discovered to date illustrated this.16 In addition, there is evidence that threat intelligence

offers a measurable benefit to the business side of the equation. A 2014 study conducted by the Ponemon

Institute showed that companies that deployed security intelligence systems had a 23 percent higher ROI

than on other technologies such as encryption and perimeter controls.17

Myth 7

15 https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088 16 http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report 17 http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=27971

13


MYTH #8: Threat intelligence is only useful before a breach or a security event.

FACT: While threat intelligence can help prevent breaches, it can also help identify and mitigate the damages from

previously undiscovered breaches or attacks. Research reveals that it can take up to three years or more

for organizations to discover a breach, which can expose an organization to millions of dollars in damages.18

That figure can be significantly reduced by discovering a breach sooner rather than later.

Monitoring the open source Internet, especially paste, leak, and document-sharing sites, is critical to dis-

covering leaked or confidential data or documents faster. Oftentimes criminals trade or sell stolen data on

underground forums or other hard-to-find places. Using an automated tool that can monitor these sources

can complement internally deployed data-loss-prevention (DLP) systems.

Finding the information earlier can allow your teams to mitigate potential problems. Reputational damage

can be reduced if an organization finds the information before the press or an unaffiliated third party does,

so that the PR and marketing team – not the media – can better control how the breach is addressed. Once

the breach is discovered, threat intelligence can help your security team learn how it occurred and may pro-

vide insights that prevent more data from being lost or stolen.

Myth 8

18 http://www.forbes.com/sites/ciocentral/2012/12/05/the-biggest-cybersecurity-threats-of-2013-2

14


MYTH #9: We already have an in-house cyber security team, so we don’t need threat intelligence from a third-party.

FACT: Even if you are a very large company with a big team, it can still be difficult to find, compile, sort, and analyze the vast

amount of information relevant to your organization’s cyber and physical security. More specifically, the following two

factors have made it nearly impossible for an in-house security team to maintain the safety of the entire organization.

The first factor is the explosion in risk types in terms of complexity and number. Besides risks such as phishing attacks, secu-

rity teams must now combat cyber-attacks that involve state and federal regulations, physical security, and customer data.

The second factor is the expanded attack surface. While threat actors continue to use older media, such as IRC

channels, they are increasingly using new vectors to plan and launch attacks. Keeping up with all of these tools and

tactics can be daunting for any security team, no matter how large. Moreover, many organizations have a global

presence, requiring analysts to be fluent in multiple languages.

The growing range of sources, risk types, and languages (along with variations in your risk profile, e.g., around a

major event like a shareholders’ meeting) can make it very difficult to always have the right mix of resources on

hand. Working with a partner who can supplement your internal team (whether full-time, part-time, or as-needed)

can be an important component of an overall threat intelligence strategy.

Myth 9

15


MYTH #10: We can’t afford to hire more analysts to process, review, and act upon threat intelligence.

FACT: If you have a small security team or perhaps a single person handling all security issues, you’re not alone:

according to conservative estimates, some 55 percent of organizations are short on information security

workers.19 Even the government is seeing a shortage of cybersecurity professionals. Cheri Caddy, director

of cyber security policy integration and outreach at the White House, recently stated, “We just have not

been training enough people to man the defenses of every business at work, every government at work,

every military mission.” 20

An in-house analyst team does not necessarily make business sense for all organizations. It can be time

consuming and costly to find, onboard, and train new employees. Depending upon your business goals

– whether it is to increase revenue, increase the utilization of assets, or reduce costs – it may make more

sense to use the analyst team of a security partner. Before deciding whether to source the staff in-house

or to look to a third-party provider – or some combination thereof – it is important to examine the tools,

expertise, skill set, and manpower each will take.

Look for a partner that offers the option for full-time, part-time, or on-demand security consultants who

are knowledgeable about your business needs and can provide as much or as little help as you need.

For example, your company may not be large enough to require full-time resources, but you may need to

increase resources for specific events, such as board meetings. Or, you may have workday hours covered

but need support during off-hours or weekends. If your company is expanding operations into a new coun-

try, you may not have the in-house language capabilities or expertise to evaluate potential risks that could

impact physical offices or executive travel. An ideal partner is one that provides not just tools or data or a

platform to process information, but, if needed, trained analysts, linguists, consultants, and other experts.

Myth 10

19 https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/2013-ISC2-Global-Information-Security-Workforce-Study.pdf 20 http://www.courant.com/business/hc-cybersecurity-labor-shortage-uconn-white-house-20141020-story.html

While your network may be secure, do you have visibility beyond the perimeter? Security is no longer about what you can see. What you can’t see is where the true threats hide.

Cyveillance offers an easy-to-use platform that enables security professionals the ability to see beyond the perimeter. Our solutions identify cyber and physical threats and risks across the globe, allowing you to mitigate and eliminate them before they disrupt your business.

We go beyond data to provide the threat intelligence that you need to achieve your organization’s business goals. Contact us today to learn more and get a free trial.

Using security intelligence technology can save companies up to $2.6 million when compared to companies not using security intelligence technologies. “2014 Global Report on the Cost of Cyber Crime.” Ponemon Institute; HP. 3 Dec. 2014. http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-reportA study by Verizon has shown that the targets of 85 percent attacks are small businesses with less than 1,000 employees. Verizon, “2012 Data Breach Investigations Report,” http://www.verizonenterprise.com/resources/reports/ rp_data-breach-investigations-report-2012-ebk_en_xg.pdf

Cyber Threat Center

www.cyveillance.com/cyberthreatcenter

Cyveillance is the leading provider of cyber threat intelligence, enabling organizations to protect their information, infrastructure, and employees from physical and online threats found outside the network perimeter. Founded in 1997, Cyveillance delivers an intelligence-led approach to security through continuous, comprehensive monitoring of millions of online data sources, along with sophisticated technical and human analysis. The Cyveillance Cyber Threat Center, a cloud-based platform, combines web search, social media monitoring, underground channel information, and global intelligence with investigative tools and databases of threat actors, domain names and IP data, phishing activity, and malware. Cyveillance serves the Global 2000 and the majority of the Fortune 50 – as well as global leaders in finance, technology, and energy – along with data partners and resellers. For more information, visit www.cyveillance.com.

Cyveillance is a wholly-owned subsidiary of QinetiQ, a FTSE250 company which uses its domain knowledge to provide technical support and know-how to customers in the global aerospace, defense and security markets. For more information, visit www.qinetiq.com.

11091 Sunset Hills Road, Suite 210 Reston, Virginia 20190 888.243.0097 | 703.351.1000www.cyveillance.com [email protected]

Copyright © 2015 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are

trademarks or registered trademarks of their respective owners

Documents

10 Myths About Cyber Threat Intelligence · 2017-08-25 · 6 10 Myths About Cyber Threat Intelligence: Separating act from iction 2015 Cyveillance MYTH #3: It’s impossible to develop