Security teams often think that simply having a threat intelligence feed arms them with what they need to protect their organization. But the truth is, most companies receive a raw data feed from their threat intelligence vendors -- which is really just information. There is a difference between information and intelligence, as discussed on a recent episode of Dr. Dark Web with our own Chris Roberts.
In the digital world, intelligence matters.
In the digital world, there is a vast difference between cyber information and cyber intelligence, yet the two concepts are often thrown around like they are interchangeable. They are not.
Cybersixgill’s Chris Roberts explains the difference like this: in the physical world, we have hard limits on all sorts of things: the number of humans in an office, the number of countries in the world, the number of hours in the day and number of days in a year. That’s not the case in the digital world. “The digital world is expanding about as fast as the darn universe is expanding,” Roberts said. “It's ridiculous how much data we're creating – and how in a short space of time, we’re constantly doubling that amount of data.”
With so much data online, only a small fraction qualifies as true cyber intelligence -- and an even smaller subset of that is cyber intelligence that’s relevant to your organization.
What is actionable threat intelligence?
According to Roberts, quality threat intelligence is timely, actionable, and relevant. More importantly, it can be trusted because it has been verified by the company that’s providing it. He added that organizations must take a step back and identify which assets they really care about and which risks they face.
The dark web can be a valuable source of actionable threat intelligence where analysts can learn about the ways that cyberattacks are performed, which attack tools are for sale and being purchased, and the success rates of current cybersecurity campaigns.
How do organizations operationalize threat intelligence?
Operationalization is the ability to act on the intel you have. It is absolutely crucial, but unfortunately, it’s a struggle for many organizations. According to Dark Reading’s 2021 Survey on the State of Threat Intelligence:
- 40 percent of organizations cite lack of context as their biggest source of frustration with threat intelligence.
- 56 percent of organizations say their team spends more than 12 hours per week researching and synthesizing threat intel reports.
- 35 percent of organizations say it takes more than 12 hours to supplement new threat intel data with their own research before they can begin to escalate and remediate incidents.
As explained by Roberts, Cybersixgill works with customers to produce intelligence that addresses concerns and areas of risk that are unique to each company, and establishes a baseline from which cyber defenses can be strengthened. This cyber intelligence will find any company information that is already for sale on the dark web: email addresses, access credentials, domain names, and images, as well as identify dark web organizations that are targeting or have plans to soon target a company.
“That’s actionable intel. It allows you to take proactive measures before a devastating ransomware attack effectively paralyzes your organization,” Roberts said.
Is your organization ready for actionable threat intelligence?
Most organizations progress through several stages of cybersecurity readiness as they grow. Our recent whitepaper, The 5 Levels of Cyber Threat Intelligence Development, outlines the various levels of cybersecurity readiness and explains why companies must continue to move upwards.
How does it work in real life?
To understand how actionable intelligence applies in real life, below are some examples that Roberts discussed on the podcast:
- A mining company was planning a meeting for its leadership team at a new site in South America. Intelligence revealed that local activism was being planned during the visit, so the company was able to cancel the trip and eliminate the associated risk. Without the proper intelligence, these insights would not have surfaced.
- A large clothing company had an issue regarding lost merchandise in the supply chain, or slippage. The issue was costing $200 million annually. Intel-based tracking allowed profiling of individuals and organizations that had access to the merchandise, and identified criminals on both sides of the supply chain. A number of new internal processes were put in place and the financial impact decreased considerably.
- A watch company had a problem on the customer service side. High-end watches that were supposed to be returned to customers were getting lost. Cyber threat intelligence revealed that some watch parts were being sold on the secondary market – a problem the company was able to address and preserve the integrity of its watches and its brand.
The bottom line: true cyber intelligence must be timely, relevant, accurate, specific, actionable, and integrated.