CS1907
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
threat intelligence<br />
THREAT OR TREAT<br />
HOW ORGANISATIONS SHOULD BEST MANAGE,<br />
DETECT AND RESPOND TO A DATA BREACH IS AN<br />
ON-GOING QUESTION. BUT AN INTELLIGENCE-DRIVEN<br />
STRATEGY IS AN ESSENTIAL PART OF THAT<br />
Security vendors should be applauded in<br />
many ways for their ability to take<br />
technology and security best practice<br />
that has been around for a long time, give<br />
it a fancy new name, and sell it as the new<br />
magic bullet, says David Peters, CTO,<br />
ANSecurity.<br />
"Cyber Threat Intelligence is one such<br />
instance that, although it offers some<br />
benefits, is not a new concept and can be<br />
accomplished in more than one fashion.<br />
Even the most basic security controls, such as<br />
desktop anti-virus, use threat intelligence in<br />
the form of signature updates, URL blacklists<br />
are the same, even the regular advisories to<br />
patch applications and operating systems are<br />
effectively threat intelligence messages."<br />
Many of the new breed of cyber threat<br />
intelligence (CTI) offerings are rather<br />
expensive, he adds, but there are alternatives<br />
that are effectively free. "For example,<br />
AlienVault open threat exchange, when<br />
coupled with Palo Alto's Minemeld, can<br />
create a potent threat intelligence platform<br />
that can take both open source alerts and<br />
paid-for services to be fed into an effective<br />
system. This combination can feed dynamic<br />
firewall rules that can block known IP<br />
addresses which are host threat actors.<br />
Building your own is feasible for most IT<br />
professionals and does not need a deep<br />
infosec background."<br />
FIRING ON ALL CYLINDERS<br />
Where some of the CTI systems can shine is<br />
in the more specialist areas, such as Critical<br />
National Infrastructure, very large enterprises<br />
and organisations that use SCADA. "However,<br />
this is a realm where CTI should be used<br />
alongside a dedicated SoC and analyst as an<br />
aid, rather than a replacement for skilled<br />
infosec professionals, Peters advises.<br />
"Even in this space, there are national<br />
resources, such as GCHQ, which do sterling<br />
work in providing threat intelligence that<br />
both these more critical groups and other<br />
enterprises would be wise to regularly<br />
consult."<br />
ATTACK TOOLS AT LARGE<br />
"With the increased availability of highquality,<br />
open-source attack tools, cyber<br />
aggressors can constantly evolve and utilise<br />
automated attack tools, points out Chris<br />
Doman, security researcher at AT&T Alien<br />
Labs. "For an organisation trying to defend<br />
itself from a barrage of these assaults, it can<br />
all become too much to handle, especially<br />
when you consider that security teams are<br />
already understaffed and overstretched.<br />
So, what can security professionals and<br />
organisations alike do to defend against<br />
these attacks?<br />
First, Doman advises, start by fighting<br />
fire with fire. "If cybercriminals are using<br />
automation to their advantage, then so<br />
should organisations. Some tasks remain the<br />
preserve of humans - but there are still many<br />
simple time-consuming tasks that can be<br />
automated. This can alleviate the strain for<br />
security personnel who can fixate their time<br />
on more concerning matters." Secondly, share<br />
threat intelligence. "The last few years, we<br />
22<br />
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk