The power of the technology to defend our IT systems is only as good as our ability to evolve it in the face of ever-changing adversary tradecraft
After over 20 years in cybersecurity, I firmly believe that technology alone has not, and will not, win the war on cyberattacks. The idea of a purely technical solution providing lasting protection is flawed from the outset. The claims of security vendors that only bring technology to the cyber fight is the equivalent of a sheep in wolf’s clothing. It sounds great and looks convincing, but almost never lives up to the hype. Now, I am not saying that technology is not important, even critical, in this fight. It is critical if it is informed properly.
As attack surfaces grew and the exploitation of IT systems became known, and eventually mainstream, the importance of threat intelligence became clear. This insight is still critical today and provides an important service to companies that want to understand their attack surface or have experienced a breach. Today, we also recognize that threat intelligence in continuum and combined with technology is also critical.
Cyber threat intelligence has a few key principles it must follow for it to be effective. I will approach this from an email security perspective since that is the area in which I am most involved.
1. Threat intelligence sources must be agnostic to vendor technology
If you only get threat intelligence from your email filtering or secure email gateway (SEG) vendor, you are missing huge swaths of threats. SEG vendors are happy to report the threats they caught but undercut their own reputation by highlighting threats they miss. Similarly, you cannot depend solely on the vendor that provides your mail client or mail service to provide quality indicators of compromise (IOCs). A range of sources is needed, and ideally, you should get your data from across vendors and platforms.
2. Your user base is a valuable source of intelligence for your enterprise
The recipients of emails are where threats are seen first. Therefore, a well-trained workforce that reports the threats that reach their inboxes is gold and represents the tip of the spear in phishing tactics and tradecraft. These threats traversed your technology defenses and made it to the victim. If your userbase can report these threats quickly and easily, and your Security Operations Center (SOC) teams can respond, you can get on top of these emerging threats. So, ask yourself if your insight into phishing threats is informed by your user base as well as other users across the globe. Do you have a suspicious email reporting mechanism? Do you train your employees to recognize today’s phishing threats? Do you encourage reporting across your workforce rather than discourage it through punitive programs? All these factors make an enormous difference in how much knowledge you have coming to you and how diverse and timely it is.
3. Threat intelligence must be timely and actionable
Threat intelligence that is indecipherable, lacking context, late, in a complex format, or unable to be ingested where it is needed is worthless. It can be more than worthless because it can distract critical resources and waste your employees’ time. Threat intelligence feeds, and the tools that consume them, must be properly aligned with each other and with the current landscape. This highlights the importance of putting in place an approach to catch emerging threats that made it past email filters, like SEGs, to ensure that vulnerabilities do not create a costly blind spot for your organization. Utilizing your own workforce as sensors ensures timely awareness of bad emails that made it into employee inboxes and enables your SOC or managed service provider to get to work faster. Then, implementing an internal process to distribute these insights throughout your entire technology stack empowers you to become your own source of highly relevant intelligence stemming from actual threats that targeted your organization. And with this intelligence, you can apply it to your organization’s training programs, such as phishing simulations, to make these important exercises more relevant.
I am very much a technologist that loves building great products. I also believe technology alone will not solve cyberattacks. I know the power of the technology we build to defend our IT systems is only as good as our ability to evolve it in the face of ever-changing adversary tradecraft. Therefore, vendor agnostic technology, married with actionable, globally-sourced, and continually evolving intelligence, augmented by humans, is needed to defend our enterprises.