Endlessly responding to security events without solid threat intelligence can provide a false sense of security.

The current pandemic has created significant challenges and disruptions for many organizations, not the least of which has been finding a way to allow employees to work from home, often using personal devices. Unfortunately, cybercriminals thrive in times of disruption, and the need to respond to cyber threats has never been greater.

While some organizations were better prepared to handle this change, there have been many others that needed to adapt rapidly. Said Jason Rivera, Director, Strategic Threat Advisory Group, Global, CrowdStrike, Inc: “When responding to threats during periods of uncertainty, it is critical to first understand the challenges rather than default to the cybersecurity professional’s tendency to solve problems that perhaps aren’t fully understood.”

Avoid spinning your wheels

Without a depth of understanding of threats they are facing, security teams can end up inefficiently spinning their wheels trying to solve problems, which can all too often result in wasted resources or, as Rivera describes, “developing a false sense of security and building a security posture that by and large is not designed to address the actual threats that we face as organizations.”

Looking back at the past few months, there is much to learn about how to respond to threats in better ways. Rivera said it is important to engage “in a much greater degree of thought around the threats we are likely to face as well as the need to prioritize which threats we must address first.” Understanding your organization and the adversaries you are likely to face will shed light on which threats are top priorities.

Explained Rivera: “It is somewhat like the scientific method, where first we seek to obtain a broad understanding of the problem we are trying to solve, issue a hypothesis, and then test our hypothesis against real world threats.”

Every situation is different

As with most things in security, there is no magic potion that will curb all your threats, but knowing which threats to prioritize can be somewhat situational, according to Abhishek Kumar, Director, Security Intelligence & Engineering, Microsoft’s India Development Center.

“The situation faced by each organization could be unique but there are some measures that every organization must take to safeguard their security posture,” said Kumar. “Start with running security awareness campaigns.”

Based on the telemetry statistics, Kumar saw a significant jump in COVID-themed attacks, particularly phishing attacks, and scams. “Organizations must continue to run user security awareness campaigns to minimize the possibility of any employees falling into traps and attacks; at the same time advise employees to take extra care to protect organizational data,” Kumar said. Strengthening user authentication, enhancing device protection and securing remote connectivity are additional measures that can help to safeguard your security posture.

Threat intelligence builds cyber resilience

Threat intelligence allows organizations to be proactive in their security posture. Without it, Rivera said, “they are endlessly responding to security events without understanding the context behind them nor having a predictive understanding of what might come next.”

When alerts overwhelm security teams, the latter waste too much precious time chasing false or benign positives, but threat intelligence, when used properly, brings the right alerts to the fore to enable security teams to both defend organizational assets and improve resilience. Threat intelligence improves your ability to make proactive and informed decisions.

According to Mei Nelson, Security Principal at Accenture Security, from a strategic, operational, and tactical level, threat intelligence drives an organization’s cyber defense missions to improve decision making and resilience against cyberthreats. “At the strategic level, an organization’s cyber defense mission should focus on developing ideas and infrastructure to achieve leadership objectives, such as business vision, policies, strategies and investment to achieve mission and goals,” Nelson said.

“Cyber threat intelligence can shed light on the understanding of identities, motivations, intentions, capabilities, constrains, limitations, and locations of threats to facilitate an organization apportioning security investment, realigning organization priorities, assessing risks of organizational changes and evaluating market changes,” he continued.

Only useful if deployed correctly

Cyber defense at the operational level is centered around planning and executing strategies, operations, and deciding how to deploy resources. “Cyber threat intelligence defines how much and what data to gather, what language resources to hire or outsource to enhance the intelligence process, and what threat actor tactics, techniques and procedures (TTPs) are actionable,” Nelson said.

Built around planning and executing tasks and engagements, the tactical level of cyber defense includes, “crafting threat hunting signatures and intrusion detection system (IDS) alerts, blocking malicious traffic at a firewall, and incident response and event analysis. Cyber threat intelligence in this level focuses on adversary TTPs and indicators of compromise (IoCs) such as malicious IP addresses, domains, file hashes, email senders,” explained Nelson.

According to Kumar, what is most important for organizations to remember is that threat intelligence is only useful if deployed and used in the right way, which means having a feed of relevant data sets, a platform to aggregate the data, and a means to integrate threat intelligence with the security technologies.