How to Protect Your Organization With Shared Threat Intelligence
Threat intelligence plays an important preventive role by providing early warning of emerging threats before they impact your organization.
- Shared threat intelligence can identify new threats before they reach your organization, so you can take preventive action before you’re impacted.
- Correlating threat information from diverse sources can help you determine which threats to prioritize.
- For most organizations, a campaign-level view of attacks is more useful than focusing on attribution of individual threats.
- Understanding employee targeting and behavior is critical.
Shared threat intelligence plays a critical role in keeping your organization safe. The most effective threat intelligence is predictive: it helps you see threats on the horizon so you can take preventive action before they impact your organization.
For example, threat intelligence may alert you to a new kind of ransomware attack or phishing exploit that’s starting to wreak havoc at other companies in your industry — but hasn’t yet affected your company. Learning how attackers are targeting similar organizations can help you determine whether your existing defenses are adequate or whether you need additional protection.
At Mimecast, we continually glean new threat intelligence from the enormous volume of email messages that we secure every day. As an email security product manager, my role includes providing relevant and actionable threat intelligence information to our customers, as well as using that information to add appropriate protection to our products. In this post, I’ll share tips about how to use threat intelligence for maximum advantage.
Seeing The Forest for the Trees
A diversity of threat intelligence sources can enable you to build a more comprehensive view of the threat landscape, helping spot emerging threats that might otherwise be missed. That’s why it’s important to use a wide range of inputs, including free community-based feeds as well as commercial intelligence aggregators.
But too much data can also be dangerous, making it hard to see the forest for the trees. It can lead to false positives and wasted effort as organizations try to block every rumored and actual threat that they hear about. That’s something that companies can ill afford, given the scarcity of security skills and the urgency of focusing on the most significant threats. Faced with a torrent of threat data, how do you decide which threats are most important to your organization and require immediate action — and distinguish them from those that are less urgent or can be ignored altogether? Carefully correlating and cross-checking information from multiple sources can help you decide which voices to trust, which threats to prioritize and how much time and effort to devote to them.
Focus on Understanding Campaigns, Not Attributing Individual Threats
For most organizations, a campaign-level view of threat intelligence is more useful than focusing on attribution of each individual threat. One reason is that a single malicious campaign can generate many different threats as attackers attempt to compromise organizations via multiple channels including email, websites and social media. Another is that multiple attackers employ the same methods and malware and continuously modify them slightly for different purposes, creating many distinct but similar-looking threats.
In this reality, focusing on understanding threat campaigns as opposed to individual threats provides a broader perspective of where threats come from, the attackers behind them, the kind of organizations they are targeting, and the methods they use. Understanding the context gives you a better idea of where you may be vulnerable and the steps you need to take to protect yourself. If you know that a campaign is focused on specific industry sectors, you’ll have a better idea of whether you might be the next target. If a campaign is associated with a particular region, you can focus on protecting your operations or business relationships in that area.
Understand User Targeting and Behavior
Prevention is about user behavior as well as technology. Threat intelligence can help you understand which employees are typically targeted and which are most at risk, so you can put the right safety nets in place.
For example, instead of directly targeting well-protected senior executives, attackers may direct their phishing emails to assistants or other staff with connections to those executives. Often, business email compromise (BEC) scams impersonate executives to entice assistants to authorize money transfers or other damaging actions. You’ll need to protect each link in the communication chain, not just the executive at the end of the chain.
Analysis of user behavior can help determine which employees present the biggest risk and where to focus your efforts. Are there employees that have previously been overlooked and need additional education or technical controls? Are some people interacting with regions that are the source of known problems? Are they repeatedly clicking on bad links?
Don’t Fixate on the Past
If you focus only on the types of threats that you’ve encountered in the past, you may lack the peripheral vision to spot new attacks that can circumvent your existing defenses. So even if you already have a strong set of security tools in place, it’s critical to avoid complacency. Just because your tools have effectively blocked attacks in the past, that doesn’t mean they’ll be equally effective against novel attacks that emerge in the future. Threat intelligence provides early warning of those new threats, so you can start to build a level of protection — even if you don’t yet have enough information to create a 100% effective solution.
The Bottom Line
Threat intelligence sharing performs an extremely valuable preventive role in protecting your organization against cyberattacks. Analyzing multiple sources of threat information can help you identify and prioritize key threats — before they impact your organization.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!