Understanding Threat Intelligence: Seeing Beyond Indicators of Compromise

There is a lot of confusion and misunderstanding about what constitutes threat intelligence. Too often, threat intelligence gets misaligned with tracking a bunch of Indicators of Compromise (IoCs), and the underlying assumption is that a company has to be compromised, or in the process of being compromised, before it can take advantage of the intelligence. This is called post-breach threat intelligence.

In theory, indicators can be actionable, but as a general rule, this kind of intelligence is nothing more than a data feed and not scalable for many companies. The focus on IoCs creates noise in which only a small portion of the threat intelligence is applicable to your organization. 

Knowing which indicators to focus on first is just the beginning. Correlating all the subsequent events associated with that indicator and recognizing the pattern of what the attack looks like is a challenge because you may not have the staff nor tools necessary to maintain such an operation. 

Get articles like this delivered to your inbox every week. Subscribe to Cyber Resilience Insights today.

Doing this is still not enough as it only gives you an indication of the arsenal of an attacker has and may give you limited attribution capabilities. This does not yield much for the enterprise because they cannot run an operation to destroy said cyber arsenal nor can they prosecute the attackers. This is better left to global government organizations who are already participating in these activities.

Taking Stock of Your Risk & Security Profile

A good enterprise intelligence operation must focus on how an attacker views your cache of security tools so you can either strengthen your weaknesses or even plant faulty information as decoys as part of a deception strategy. This all starts with a risk assessment, as it gives you the opportunity to prioritize your actions based on what will have the biggest impact into thwarting those hostile intelligence operations against your infrastructure and people.

With the risk assessment in hand, the next step is to obtain an external view of your digital footprint—in other words, who are your suppliers, clients and partners that can be targeted and create additional risk for your organization? Who can be targeted and cause harm, to not only your company, but everyone connected to you?

Lastly, you must understand the kind of risks human error poses to the enterprise and focus on solving the non-technical aspects of the larger security culture problem. This happens all by combining inside knowledge and outside digital chatter to determine how an adversary sees your organization.

A Wholistic Approach to Threat Intelligence

I came to Mimecast because I saw a unique opportunity to combine over 12 billion emails, web and awareness training data into insights we can offer our customers—a fresh perspective on how a mature intelligence operation can deliver strategic business direction.

Mimecast Threat Center draws insights and gives recommendations to our customers that extend beyond the noise of IoCs. Our ability to see exploitation before it is even determined to be a vulnerability and gather insights on the largest attack vector on the planet—while tying that back to security culture—differentiates our Threat Center from traditional malware-focused threat intelligence operations. This data will be used to trend and baseline industries on how attractive they are to today’s attacker and how their digital fingerprint impacts their risk.

This removes the hurdle for our customers to have to collect, process and deploy IoCs on their own, rather focusing on the business directions that will provide the most impact to operationalize their investments and create a strategic direction in security that senior leadership understands.

Putting Customer Needs—and Actions—First

By shifting your attention from the daily noise of post-breach threat intelligence (IoCs) to a solid business-oriented threat intelligence program, you create a dynamic of proactively closing holes that make you an attractive target and collectively raising the bar against your adversaries.  

To achieve this level of insight you need to have a strong understanding of your infrastructure, your external profile and the employee activity in the company when looking at your security culture.

Regardless of whether it’s a phishing exercise to harvest credentials or implant malware, Mimecast’s vulnerability and research teams can detect and prevent these attacks and also derive malicious intent or human error. With research from the Threat Center, we can close the loop to drive user awareness and reduce human error.

Today’s rapidly-evolving threat landscape demands a unique approach and we hope to provide the value of what we do every day back to our customers and the security community at large. Stay tuned for more from our team.