Why Organizations Need to Start Supporting Cyber Threat Intelligence (CTI) Programs.

Introduction.

In recent years the level and sophistication of cyber-attacks have increased exponentially. The growing and evolving cyber threats are causing havoc for public and private sector organizations and information security professionals who are in charge of defending their information assets from threat actors. The increased level of sophistication from threat actors is due to the improvement in technology but can largely be attributed to the involvement of nation-states in cyberspace — either by actively participating or funding proxy groups. The frequency and sophistication of attacks have increased awareness amongst cybersecurity professionals and the industry as a whole has recognized the need for collaboration and the sharing of cyber threat intelligence (CTI).

“Sharing CTI between different organizational entities is a collaborative effort to improve one’s cyber defence posture by leveraging the capabilities, knowledge, and experience of the broader cybersecurity community”.Cyber threat intelligence helps organizations improve their security programs by providing them “insights into the mechanisms and implications of threats, allowing them to build defence strategies and frameworks, and reduce their attack surface with the end goals of mitigating harm and protecting their network”. The main goal of cyber threat intelligence is to provide organizations with a thorough understanding of what’s transpiring outside their network, giving them a better understanding of the cyber threats that bring the most risk to their infrastructure.

Because state-sponsored groups are usually very well funded and can carry out protracted cyber campaigns against their chosen targets until they achieve their strategic objectives. These types of groups are known as advanced persistent threats (APT). APT attacks can be carried out by foreign intelligence agencies — state-sponsored or well-funded organized crime groups. Given the risks these threats represent, it is increasingly important that organizations start to think radically at their security programs in order to respond to this new type of threat.

COVID-19 has created the perfect environment for APT to capitalize — due to the fear and uncertainty the pandemic has created. Additionally, the increased use of connected devices and the implementation of telework policies have created many attack vectors. The Centre for Strategic & International Studies (CSIS) which focuses on cyber-attacks on government agencies, defence and high tech companies, or economic crimes with losses of more than 5 million noted earlier in June that North Korean state hackers sent COVID-19-themed phishing emails to more than 5 million businesses and individuals in Singapore, Japan, the United States, South Korea, India, and the UK in an attempt to steal personal and financial information. Similarly, Cybercriminals stole $10 million from Norway’s state investment fund in a business email compromise scam that tricked an employee into transferring money into an account controlled by the hackers.

Governments and Public Sector Organizations Under Attack By State-Sponsored Groups.

The Australia Prime Minister Scott Morrison recently announced that the country’s government and its institutions were being targeted by ongoing sophisticated state-based cyber-attacks — further noting that the attack was pervasive — affecting “all levels of government” and providers of essential services. The attacks have been ongoing for several months, and Mr. Morrison said he wanted to raise public awareness and urge businesses to improve their cyber defences. He stressed that “malicious” activity was also being seen globally, making it not unique to Australia. Although governments around the world have invested in themselves, little has been done to safeguard businesses and the wider public over the years.

Cybercrime is now one of the most pressing issues facing governments, public and private sector organizations around the world. Accenture annual report on the cost of cybercrime found that organizations are spending more than ever to deal with the costs and consequences of more sophisticated attacks — however, the average cost of cybercrime for organizations keeps increasing. For example, in 2018 it cost an organization an averaged US$1.4 million — in 2019, the cost was US$13.0 million.

The increase in APT attacks presents a major challenge for organizations of all sizes. Due to the level of resources these groups possess it is difficult for companies even with significant security budgets to defend themselves against these types of threats. In February, the “US Department of Defence confirmed that computer systems controlled by the Defence Information Systems Agency (DISA) had been hacked, exposing the personal data of about 200,000 people. The agency oversees military communications including calls for US President Donald Trump”. If such an organization can be hacked then most organizations don’t have a chance if they are targeted.

What Is threat intelligence?

Threat intelligence, specifically, is collecting and analyzing information about indicators of past, current and future cyber threats, which enables an organization to take action to protect their assets, network and the entire enterprise. Additionally, it allows organizations to answer questions related to past attacks such as — who is behind these attacks? What is the motive? What is the attack vector? What vulnerabilities were exploited? Is our environment secure enough? What do we need to do?. Answering these questions in advance and being aware of the tendencies of threat actors can help mitigate attacks.

The expansion of cyberspace has expanded and introduced many different attack vectors that can be exploited. Timely and accurate information becomes critical in the fight against advanced persistent threats (APT) and threat actors. The task of gathering intelligence is difficult for a single organization, for companies to be successful in the era of APT — cyber threat intelligence sharing between organizations is going to play a critical role for organizations of all sizes security defences — because no single agency can have a complete picture of threat activities. Thus, domestic and international private/public partnerships will be required for an effective security program and strategy for organizations.

The “benefits of threat intelligence include improved efficiency and effectiveness in security operations in terms of detective and preventive capabilities”. Threat intelligence is about providing timely information that organizations can use to make an informed decision which can then be translated to actionable steps to prevent or reduce the risk of an attack.

The ability for organizations to share information about adversaries’ specifics techniques and threats can serve as a useful tool because security teams can then use the information to emulate known threat actors. Threat actor emulation serves as an important component for any security programs because it focuses on the ability of an organization to verify detection and/or mitigation of the adversarial activity at all applicable points in the attack lifecycle”.

Collective security is important but more important is the ability for organizations to receive information through real-time data is vital. This will help prevent or reduce the risk of an attack. It will also allow organizations to identify and assess any defensive gaps within their security program across the entire enterprise. A defensive gap assessment allows organizations to identify “what parts of its enterprise lack defences and/or visibility. These gaps represent blind spots for potential vectors that allow cybercriminals to gain access to organizations networks undetected or unmitigated”.

Conclusion

Collective cyber threat intelligence will enable organizations to collect in-depth knowledge of cyber threats and threat actor behaviours — such information can include “malware, tools, TTP, tradecraft, behaviour, and other indicators that are associated with known APT threats”. Equipped with this knowledge those in charge of security programs will be able to identify similar patterns across a broad range of groups and map out their security posture more effectively.

Having an understanding and knowledge of how various groups use the same technique will allow security teams to focus on impactful defences. Another reason why threat cyber intelligence is important is that security teams’ ability to look at multiple data sets across different organizations will allow them to spot trends. Trendspotting is a critical part of any security program because the threat is similar across multiple industries, and countries.

Of course, there are many challenges associated with collective threat intelligence sharing across different sectors. There will be legal and regulatory implications organizations have to consider. Additionally, some of the information shared amongst organizations will be closely related to the core business of the firms. Which will present a distinctive challenges of combining collaboration with competition. Organizations involved will need to maintain their competitive edge, protect their commercial interests and intellectual property, and comply with all necessary local laws and regulations. But this is trivial challenges in comparison to what organizations will face if they don’t radically look at new ways of addressing APT threats.