Connect with us

Hi, what are you looking for?


Security Infrastructure

Boosting Your Threat IQ with Context

Computing pioneer Alan Kay once said, “Context is worth 80 IQ points.”  On the IQ scale, where average is about 100 and Einstein is 160+, context could propel you into the genius category pretty handily. For cybersecurity professionals who know that the industry has no shortage of threat data, context is the lever that turns threat data into threat intelligence.

Computing pioneer Alan Kay once said, “Context is worth 80 IQ points.”  On the IQ scale, where average is about 100 and Einstein is 160+, context could propel you into the genius category pretty handily. For cybersecurity professionals who know that the industry has no shortage of threat data, context is the lever that turns threat data into threat intelligence.

In a previous column I described how the path to threat intelligence starts by organizing the multiple data feeds many organizations subscribe to and translating it into a uniform and useable format. This global threat data gives you some insight into activities outside of your enterprise. But to turn that data into intelligence you need to augment and enrich it with internal threat and event data. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack. More specifically,

Who and what: The actors or groups behind the attack, if they are government sponsored, and what they typically target (size of organization, industry, geography).

Using Cyber Threat IntelligenceWhen and why: Their motivation (financial, political, hacktivism) and intent (steal data, disrupt systems, extortion, make a statement) and if there is a particular trigger event that attracts their attention to a specific target (M&A activity, expansion, new technology adoption, cyclical activity).

How and where: The tactics, techniques, and procedures (TTPs) the adversaries use to make decisions, expand access and execute their objectives; their capabilities and the methods they employ be it exploit kits or other types of attacks “as a service” or the infrastructure they utilize; and what systems are targeted and possibly affected.

The SamSam ransomware attack offers an example of the role of context in helping organizations understand how adversaries operate and make better decisions about how to deal with an attack.

Typically executed via an exploit kit or a phishing campaign, ransomware seeks to deny the targeted organization access to files or data unless they pay a fee for unlocking them. The SamSam ransomware variant, however, doesn’t rely on end-users clicking on a malicious link or attachment. It compromises unpatched servers, such as JBoss application servers, to gain a foothold in the network and then moves laterally to compromise additional machines which are held for ransom.

As was widely reported, SamSam appears to target the healthcare industry and was the variant used in March 2016 to compromise the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington, DC area. The attackers requested 45 Bitcoins (about $18,500) to restore files it had encrypted on multiple Windows systems. MedStar didn’t pay the ransom because it had a backup of the files. It was also able to detect the attack early and prevent it from infecting additional systems. Soon after, the FBI issued a confidential warning that included indicators of compromise (IoCs) to help other security teams monitor for SamSam infections.

As you can see from this example, when context is applied correctly, you can begin to build an intelligence profile that describes your adversaries, their campaign methods, indicators of their actions, and events that occur. This also allows you to better detect and scope an attack that bypassed your existing layers of defense. It provides information such as what this specific threat actor’s attacks look like and where else they have gone inside the network.

Advertisement. Scroll to continue reading.

Context transforms your threat data into intelligence. The next step is to use that intelligence for better decisions and action. In the SamSam example, that action included patching vulnerabilities, network segmentation and off-site backup solutions.

Einstein acted on his genius-level IQ to create the Theory of Relativity. With your threat IQ elevated you may not be able to invent a new way of looking at the world, but you’ll be ready to look at data in a new way and turn it into actionable intelligence.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.


The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture