Is Cyberthreat intelligence becoming increasingly important in the battle against cybercrime?
By Dave Shackleford, SANS Analyst and Senior Instructor.
As the threat landscape continues to evolve and become more complex and attackers take advantage of new vulnerabilities and techniques, security teams need all the help they can get to more effectively prevent, detect and respond to threats. Cyber Threat Intelligence (CTI) programmes are enabling organisations to gain better visibility into attacks, enhance their security operations and improve their ability to detect unknown threats. CTI is maturing as a discipline and, over the last three years, our annual SANS Cyber Threat Intelligence Survey has demonstrated the technology’s growing importance in improving organisations’ prevention, detection and response capabilities.
Many organisations are sharing details about attacks and attackers and numerous open source and commercial options exist for collecting and integrating this valuable intelligence.
All of this has resulted in improvements in organisations’ abilities to enhance security operations and detect previously unknown attacks.
Consider ransomware, which remains one of the harder threats for organisations to defend against.
Known sites and indicators associated with ransomware are being shared through threat intelligence, allowing operations teams to quickly search for existing compromises and proactively block access from internal clients.
The old adage ‘prevention is better than cure’ is certainly relevant in the cyber domain and ransomware is just one of the many types of attacks that CTI helps prevent. For this reason, CTI is being primarily aligned with the Security Operations Centre (SOC) and is tying into operational activities such as security monitoring, threat hunting and incident response.
In the most recent SANS CTI Survey, 81% of respondents stated their cyber threat intelligence implementations have resulted in improvements, compared to 78% in 2017 and 64% in 2016. What’s more, 68% of respondents report using CTI this year and another 22% plan to introduce it in the future. Only 11% of companies have no plans to do so, falling from 15% the previous year.
All of this indicates that CTI is becoming more useful overall, especially to security operations teams that are working hard to integrate intelligence into their prevention, detection and response strategies.