Refocusing threat intelligence from identifying who is behind an attack to predicting what type of attack will occur is a better way to counter cyber threats.
- The traditional approach to threat intelligence– centered around attribution – does little to make an organization more secure.
- A predictive approach that analyzes information from multiple sources enables organizations to identify and prevent cyberattacks before they happen.
- Predictive threat intelligence tools provide insights so that security leaders can devote more resources to protecting their company’s most vulnerable targets.
Attribution—identifying who was behind a cyberattack—has long been the focus of traditional threat intelligence. But such backward-looking analysis does little to help thwart a clear and present cyber threat. Knowing who attacked an organization is far less important than understanding how to prevent such exploits in the first place. That’s why true threat intelligence must be predictive.
“When organizations are talking about threat intelligence, they’re often talking about post-breach information—who attacked me, what did they attack me with,” says Josh Douglas, Vice President of Threat Intelligence at Mimecast. “But we don’t collectively use that information for good. We need to change that dynamic.”
A more forward-looking approach that focuses on gathering and analyzing information from multiple sources can help a company identify and block threats—including those that haven’t been detected yet. Imagine, if you will, that you are charged with protecting the air space of Southern California and the safety of everyone on the ground. An unidentified plane takes off from Russia, headed for the west coast. Your assumption might be that the plane poses a threat, but that alone doesn’t help you figure out how to stop it from entering your airspace. Should you discover that the pilot is not a Russian and that another country paid for the plane, that, too, is of little immediate value. What matters in the moment is knowing the flight path of the plane and whether you should shoot it down or force it to land.
Many CISOs find themselves in a similar predicament as they work to protect their companies, customers and partners.
“What matters most is understanding where and how your adversaries get in,” Douglas notes. “And you only have that if you take a predictive approach.”
Complicating matters, security teams face what Deloitte has described as a “perfect storm” of cyber risk. The cyber threat landscape is growing exponentially while cybersecurity talent is increasingly expensive and hard to find, making getting ahead of threats ever more important.[i]
Just under half of organizations surveyed for the 2020 SANS Cyber Threat Intelligence Survey have a dedicated cyber threat intelligence team.[ii] However, the report also found that many of these teams lack requirement frameworks that underpin the threat intelligence process.
As a result, many cybersecurity professionals struggle to determine where to devote their resources and end up taking a broad-brush approach. The battlefront is just too broad, and “You have to make assumptions about what needs to be protected,” says Douglas. “If you know who or what the most frequent targets are, then you know where to focus your efforts.”
How Predictive Tools Can Help
Predictive tools and processes for determining where a company is most vulnerable can make all the difference. A CISO can’t do much to influence the efforts of would-be hackers. But what he or she can do is to identify weak points and an attacker’s most likely targets.
“Intelligence-led initiatives provide information about the identities, motivations, characteristics, and methods of threat actors,” Gartner explains, “and then, importantly, give you options to operationalize this in your cybersecurity programs.”[iii]
If there’s a particularly click-happy employee, for example, the cybersecurity team can reach out and explain why that sort of behavior poses a danger. If an email server is repeatedly compromised, the security team can make the necessary adjustments. If there’s an uptick in wire fraud and a flurry of attacks against employees in the finance department, that gives the CISO a clear sense of where to allocate more resources. “This,” says Douglas, “is where being smart can make a huge difference.”
Deloitte has outlined a number of areas in which predictive threat intelligence can help an organization, including:
- Risk-sensing, especially identifying or predicting risks that are difficult for humans and rules-based systems to spot, such as new categories of threats or potential sources of future threats.
- Threat monitoring and tracking activities and entities to establish a baseline and detect anomalies that could indicate potential risks.
- Automating labor-intensive, complex and error-prone processes that large volumes of structured and unstructured data. Examples include third-party due diligence and identity and access management.[iv]
Like combatants in any type of conflict, cyberwarriors can get lost in the fog of war. Predictive threat intelligence cuts through the gloom.
Taking this approach, “You can focus on the assets and people you need to protect,” says Douglas. “If I see that my domain is being used improperly in email flows, I can send out warnings to my customers and partners to let them know what happening. If I have a tool that shows me my top ten risks, along with recommendations for how to address them, then I’m in a much better position to mitigate my organization’s cyber risk.”
The Bottom Line
Focusing on attribution—who is threatening your organization—does little to block an attack. Taking a predictive approach to threat intelligence, however, one that analyzes information from multiple sources to identify and protect likely targets, can help CISOs and their security teams thwart an attack before it occurs.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly