The concept of threat intelligence has existed in our world much longer than any computer has. Over 1000 years ago in The Art of War, Sun Tzu made some of the earliest mentions of threat intelligence known to man. One can see this in his chapter about, “The Use of Spies” where he states that “foreknowledge about the enemy” is what enables a great general and wise ruler to strike and conquer.
The same can be said in today’s modern world where social media participation and the ever-expanding network of IoT devices invade every corner of our lives while collecting petabytes of data. In a time where the frequency and quality of attacks has drastically increased, having a proactive vision of how your enemies develop their tactics into strategies is imperative. The polymorphic phishing attack is a good example of this point. CISOs should adopt and apply a survivalist’s mantra, “experience helps, but preparation saves.” The underlying importance of threat intelligence can often be the difference between being breached and possibly ruining a company; versus having taken proactive measures to minimize the impact so that a company may return to working order as quickly as possible. As Richard Bejtlich wrote in The Art of Network Security Monitoring, “it’s not if it happens, but when….” Most enterprises must employ some form of threat intel to protect their data, brand value, and most importantly, their customers.
So, what exactly are companies doing to better protect your data? In many enterprise environments it is typical to leverage various third-party threat intelligence feeds that align with the organization’s security operations. More sophisticated systems have the ability to stream directly into a Security Information Event Management systems (SIEMs) as alerts. Typically these feeds take on a software component with a GUI that leverages data sources that include but are not limited to: intel campaigns from within the dark web, network mappings and user behavioral analytics via AI, and using Python programming to query the Twitter and Facebook API in order to proactively hunt for any mention of cybersecurity news or potentially malicious outbreak. In addition, within the information security department, threat intelligence physically manifests itself into a dedicated team of specialists that are typically called Threat Hunters. These are the individuals who work together as operators (using the techniques above) to create applicable advantages within their respective environments and networks. Often such roles are not limited to one job, but rather a wide range of capabilities (reverse engineering, forensics, incident response) that feed a continuous and integrative threat intelligence platform within a security operations team.
There are no major “Threat Hunter” certificate programs (though minor ones are offered by proprietary technology vendors). Being able to understand and master the world of threat hunting and threat intel takes as much scientific and technological understanding as it does the passionate expression of problem-solving and discovery. The best way to become proficient within this vast landscape is to immerse oneself within both the offensive and defensive sides of the realm; i.e., Red and Blue Teaming (which can be in the form of Capture the Flag [CTF] events). Having both perspectives of the cyber landscape allows the practitioner to not only think openly and abstractly about upcoming challenges but also be technically armed to undertake and deter what potentially might be the next big hit.
In essence, developing a capable threat intelligence platform or team does not have to be a resource-intensive or tricky maneuver. With proper research and design any organization or entity can significantly increase its security posture, decrease its exposure, and be operationally ready to respond to an incident right when it occurs.