Parents think about threat intelligence all the time: “what could hurt our kid?” But what exactly do they worry about?
No doubt this changes as children age. There was a great article on NPR where the author of “The Paranoid Parents Guide” 1 shared two lists.
A list of the top 5 things parents worry about.
And a list of the top 5 things that actually hurt or kill children.
I know. It’s a grim topic. But it’s an important one because these lists are not the same!
It should come as no surprise that parents are worried about these things.
Kidnapping
School snipers
Terrorists
Dangerous strangers
Drugs
After all — this is what they see on the news all the time!
But here are the actual top 5 things parents should be worried about (the stuff that is statistically more likely to harm a child):
Car accidents
Homicide (usually committed by a person who knows the child , not a stranger)
Abuse
Suicide
Drowning
This is really important.
If you’re focused on protecting your children from kidnapping, dangerous strangers, and terrorists, then you are probably overlooking some simple things that you can do to actually protect your children — such as making sure they understand the importance of wearing a seat belt.
You might also brush off concerns about a relative, teacher, or other associate of the child who may pose an actual threat.
We can’t afford to make this mistake.
We face a similar problem in cybersecurity.
Sometimes people obsess over cybersecurity threats they heard about on the news and worry that the same will happen to them. Meanwhile, they ignore the threat that is most likely to impact them — brushing it off with “that only happens to large organizations.”
What is threat intelligence?
Threat intelligence is information about actual threats to your information systems and data which can be used to reduce the likelihood and/or impact of these threats.
Threat intelligence isn’t exclusive to cybersecurity either! Here’s a little story Dan Bjorklund, another vCISO Principal here at Fractional CISO , shared from a conversation with his local weatherman.
The local weatherman looked confused.
“Could you repeat that?”, he asked.
“You’re an intelligence officer”, repeated Dan.
Still confused, Dan further explained: “You provide information that people use to make decisions. That is intelligence.”
Maybe it’s because I’m a New Englander, but I check the weather report constantly and use that to inform my decisions. Do I need to bring an umbrella today? Will the temperature suddenly drop, making the roads turn to ice? Which day of the week will be the best day to go bicycling at lunch?
There is a lot of information out there. Not all of it is accurate or truthful. In order to qualify as “intelligence”, the Information needs these qualities:
Relevant
Accurate
Reliable
Timely
Actionable
Relevant — If I give you intel that within the week there will be a cyber attack on the power grid in Taiwan, is that helpful to you? Maybe . It depends on your business.
Do you have offices in Taiwan?
Does your product depend on a key component that is only made in Taiwan?
Accurate and Reliable — If the intel is not consistently high quality, then you will lose trust in it and may have doubts when urged to take action on new intel.
Actionable — Can you actually use this information to do something? As noted in Luke 12:39, “If you knew what hour the thief was coming, you could prepare.”
Timely — Threat intel is most helpful when you receive it in advance of the threat taking action.
How to use threat intelligence
Threat intelligence varies widely in form and type. Some information is best digested by machines and can be used tactically. Other information is better leveraged by humans — either operationally or for making strategic decisions.
Tactical Uses
Indicators of Compromise (IoCs) are an example of a great piece of tactical intelligence that is available in machine readable formats.
IoCs might be consumed by your firewall, Intrusion Detection and Prevention Systems (IDS/IPS), Security Incident and Event Management (SIEM), email gateway, or other technology.
IoCs include such things as:
IP addresses
File hashes
Windows Registry information
Names of processes/services
Using STIX (Structured Threat Information eXpression) , a format for the exchange of threat intelligence, an analyst will take components of a known attack and tie them together to create an alert that a particular malware or intrusion has taken place.
For example, all of the following may be known about a piece of malware:
Hash value of the executable
Registry entries
Known IP addresses used for command & control
And so a STIX object can be created that ties together these pieces of data and indicates that this malware is present on the device.
Operational Uses
By operational, we are referring to day to day operations of your security team.
Threat intelligence can inform your operations in a number of ways!
When you find out that a new vulnerability is being actively exploited — whether you hear about that from the Cybersecurity & Infrastructure Security Agency (CISA) or a vendor — your team may decide that this new risk level necessitates action. Your team may decide to take the impacted systems off the network until they can be patched, or they may put other security controls in place to protect these vulnerable systems.
Threat intel informs the incident response process as well. Some hacking groups have been known to react when there is indication that the security team takes certain actions. For example, when the security team shuts down the connection from the malware to the command and control server, that may trigger ransomware to begin encrypting systems.
Threat hunting is another activity that is informed by good threat intel. Because attackers have a long “dwell time” in the victim’s network (averages vary, but the 2022 IBM Cost of a Data Breach report gives an average value of 207 days to identify a breach), there is a real need to proactively look for signs of intrusion. Such proactive measures may limit the amount of damage caused by data exfiltration. Frequently one of the last acts of an attacker is to deploy ransomware to further monetize their work, as well as to cover their tracks.
Strategic Uses of Threat Intelligence
Organizations are not going to spend money on your cybersecurity program without justification.
Here is a fictional but realistic example of threat intelligence and how it is used to justify cybersecurity investment.
Example — “We need Security Awareness Training”
25% of our staff click on phishing emails
5% of staff actually get malware on their systems due to clicking
Each month this results in
45 hours of remediation efforts by IT
Lost productivity on the order of $4,000
Annually this is costing our company around $80,000
A quantitative risk assessment was performed and we have determined that there is also a 5% probability of a loss resulting from a phishing attack to exceed $1,000,000
Regular security awareness training and phishing exercises have been demonstrated to reduce click rates of staff. Our vCISO from Fractional CISO has projected that an annual investment of $25,000 in security awareness training will reduce our annual loss to $3,000. It will also reduce the probability of a large loss to 1%.
This expenditure of $25,000 will actually save over $50,000 per year!
Threat Intelligence Value
Clearly threat intelligence has value!
It can help you all the way from automated activities that happen in thousandths of a second, through security team operational actions, and all the way to the C suite and the Board where it is used to inform decision making.
How do I start gathering and using threat intel?
Start by making full use of the intelligence sources you already have! You may already be able to access more intelligence than you realize.
Here are just some examples of threat intelligence you may already have!
CISA’s Known Exploited Vulnerabilities Catalog
The OWASP Top Ten — Information about the most common types of vulnerabilities being exploited today. This list is updated regularly by the Open Web Application Security group (OWASP).
DMARC (Domain-based Message Authentication, Reporting, and Conformance) reports — When there is an uptick in activity this could be part of a broader cyberattack on your organization
News from such reputable sources as The Cyberwire , Bruce Schneier , Krebs on Security , Security Weekly , Dark Reading , or SANS .
Anti-virus and anti-malware logs and dashboards
You might also have paid feeds for your firewall and other network security appliances.
Information Sharing Organizations
There are a variety of information sharing organizations as well. Here are some of the main ones. Note that a couple of them are specific to the healthcare industry.
CISA — The Cybersecurity & Infrastructure Security Agency
InfraGard — “InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure.”
National Council of ISA C s — “Information Sharing and Analysis Centers help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.”
The Cyber Health Working Group — “ The Cyber Health Working Group maintains a web-based platform which provides tools for its members to share cyber threat information and resources. It also hosts webinars focused on a specific cyber threat, training topic, best practice, or threat mitigation solution in the health sector.”
H-ISAC: Health Information and Sharing Analysis Center — “A global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other.”
Health Sector Cybersecurity Coordination Center (HC3) | HHS.gov
Respond to the right threats in the right way.
Threat Intelligence at first may sound rather abstract, but as you can see it is essential to any size cybersecurity program.
You may have also come to realize that you use threat intelligence all the time!
Child kidnappings and nation-state hacks might both grab headlines and be very scary, but preparing for them may not make the most sense. Statistically, teaching your kids to swim and your employees to avoid phishing emails will better address the real risks you face.
Ultimately, good use of threat intelligence will have you responding to the right threats in the most appropriate way.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.