What are the Use Cases for Cyber Threat Intelligence?

No time to read? Listen to this episode here:

Before we jump into the business of the day, here are the cybersecurity news you might've missed this week:

• FBI analyst indicted for stealing classified cybersecurity documents. The US Department of Justice has recently charged Kendra Kingsbury, an analyst with the FBI's Kansas City Division for stealing classified documents and keeping them in her home. According to the indictment, the stolen documents contained all the FBI's strategies in countering cyber threats in the country. The documents also contained counterterrorism and counterintelligence methods in preventing external attacks. “The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing” said Alan E. Kohler, Jr. Assistant Director of the FBI’s Counterintelligence Division.

• DarkSide, responsible for the Colonial Pipeline hack, targets a UK insurance firm. The hacker group, DarkSide, is back with a bang after the Colonial Pipeline incident, as it targets a UK-based insurance firm, One Call Insurance. DarkSide has threatened to release the bank details and passwords of the customers of the insurance firm if they don't receive a £15 million ransom payment, so we suppose the business is going well.

• US-based Insurance company pays $40 million to hackers in a ransomware attack. Meanwhile, another insurance company, CNA Financial, has reportedly paid a whopping $40 million in ransom to regain access to its systems following a ransomware attack involving one of the biggest ransomware payments in history. According to a statement, CNA revealed that none of their external customers were directly affected due to the attack.

And now to the topic of the day.

What are the Use Cases for Cyber Threat Intelligence?

As evident from our weekly news snippets, your establishment should be sufficiently prepared for a data breach no matter the size or industry sector. A stunning report shows 23,000 distributed denial-of-service (DDoS) attacks are occurring on the Internet daily, putting a crippling halt to day-to-day operations, particularly for e-commerce, manufacturing, and healthcare businesses.

In the past few years, however, ransomware attacks are where it's at. Pretty much every institution is a target:

Public health: An October attack on the University of Vermont Medical Center cost about $64 million.

Local governments: A May 2019 attack on Baltimore cost $18.2M and took out the city's 911 dispatch system.

Schools: 57% of all attacks in August and September 2020 were on K-12 schools.

The downtime from an attack hovers at about 21 days, and even after paying a ransom, it takes an average of 287 days for an organization to fully recover.

This year, cybercrime will cost companies an estimated $6 trillion in direct costs - that is, excluding the resulting loss of business, dealing with customer backlash, and litigation. As the reactionary approach isn't cutting it, your organization should direct its' efforts (and budget) to proactive cyber risk mitigation.

Earlier this month, we’ve covered what Cyber Threat Intelligence is, along with the processes involved in its collection, dissemination, and actioning. Now, let's talk about specific areas where CTI can make a meaningful difference.

The Use Cases for Cyber Threat Intelligence

When implemented in a practical, hands-on manner, Cyber Threat Intelligence is used for the following purposes:

Incident Response

Being attacked, and knowing you're being attacked is not the same thing, as indicated by 2020's average breach identification time of 207 days. That’s enough time for bad actors to take down a system, harvest sensitive information, and move on to the next. In a world where cyber threats are increasingly real for businesses of all sizes, it has become necessary to respond to threats as quickly and efficiently as possible.

The problem with many security tools these days, however, is the continuously high degree of false positives when it comes to alerts and notifications. While non-CTI-backed alerts can drown your cyber incident response team in information, prompting them to investigate dead-ends, spend countless hours trying to identify and remove false positives, and ultimately face severe burnout, CTI program and tools helps achieve the following:

• Identify and automatically remove false positives.

• Provide alerts with threat level scores.

• Compare and contrast internal and external sources.

Notably, SIEM-compatible Cyber Threat Intelligence correlation tools like AEGIS™ can speed up this process handsomely using impressive machine learning and AI algorithms to process and filter information, and proving once again that information is power.

Vulnerability Management

A report reveals that 64% of companies worldwide have suffered some form of cyberattack in the past year. Instead of figuring out the specific exploitable vulnerabilities within the infrastructure and managing them in a risk-guided manner across individual asset categories, some organizations would rather overhaul the entire system, which costs more and doesn’t necessarily address the root cause in the long run.

Through cross-referencing vulnerability data with tactics, techniques, and procedures (TTPs) of threat actors, as well as past and current malware campaigns, Cyber Threat Intelligence provides crucial context that helps identify, risk-score and prioritize vulnerabilities that are likely to be exploited by the actual attacker. Addressing these weaknesses first provides a tangible advantage over ad-hoc vulnerability mitigation not grounded in the real world.

Risk Analysis

Any establishment with long-term prosperity as its goal will set up and evaluate risk models to prioritize investment options. The trick these days is to incorporate meaningful cyber threat data, driving meaningful conversations around the executive table.

Cyber threat intelligence provides detailed context to make any risk model robust and enable proper risk management. Such information can be crucial in cases where a company is pivoting or exploring a new industry vertical, type of product, or even a geographic region.

Let's say you are a midsize credit union that decided to increase customer convenience and retention by releasing a proprietary mobile app. Such action will inevitably increase your organization's attack surface and will expose it to new types of platform-specific exploits, even when done correctly, requiring not only awareness but proactive risk management measures to ensure a positive ROI.

Fraud Prevention

With CTI providing insights into the past, present and sometimes even future attacks swimming around in the Dark Web, financial and identity fraud prevention become more straightforward.

When data is compromised, some threat actors will post it for sale on dedicated forums or website marketplaces. Such data can include a full personal profile for identity theft purposes, or something more targeted, such as credentials to a bank account or an email. Each can fetch a handsome price, depending on the potential payout.

Constantly monitoring these sources for your customers' and employees' information, and acting upon it, can be crucial - particularly for companies handling incredibly sensitive and valuable Protected Health Information, or working with VIPs.

Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!