Support 416-591-6711 option 1 or Email Us

Security for Businesses with Limited IT Resources Part 1

Fri, 28 Jun 2019

This is the first blog in a four-part series that will explore how you can strengthen your own organizations' cybersecurity. Each of the four topics covered, threat intelligence; detection and analytics; adversary emulation and red teaming; and risk assessment for your company’s protection, will be filled with practical cyber techniques for companies that have limited IT resources and analysts. At ISA, we aim to protect the cyber presence of all Canadian businesses. The safer your company's cyber is, the safer all Canadian cyber is. 

Security for Businesses with Limited IT Resources Part 1

Part 1: Threat Intelligence

The old proverb that the best defence is a good offence is just as true in cybersecurity as it is in any other situation. Threat intelligence in cybersecurity is about knowing what type of adversary you're facing and what actions your adversaries are likely to take and then using that knowledge as the basis for more informed decision-making and the prioritization of your security needs.

The definition, according to Gartner: "Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject's response to that menace or hazard."[i] 

Threat intelligence is usually subdivided into three categories, strategic, tactical, and operational.

Strategic: The focus is on broader cyber trends and is typically meant for non-technical audiences. 

Strategic threat intelligence offers an overview of a company's threat landscape and is predominately used to inform executives and shareholders and assist with high-level decision-making. Therefore, strategic threat intelligence usually uses less technical language and is presented in report format. Strategic intelligence gives insight into areas such as geopolitical trends, threat group tactics, and risks associated with potential company actions. 

Although generally presented in non-technical terms, robust strategic intelligence actually involves a great deal of research and data. To create strategic threat intelligence, look at sources such as policy documents from government organizations, news and industry-specific publications from subject-matter experts, white papers and research reports and content produced by cybersecurity organizations

Tactical: This is gathered information outlining the tactics, techniques and procedures (TTPs) of threat groups and threat actors meant for a more technical audience.

Tactical threat intelligence should help cyber defenders understand, expressly, how their organization may be attacked, and the best means to defend against or mitigate cyber attacks. Unlike strategic threat intelligence, tactical intelligence contains technical language and is used directly by the personnel involved in the cyber defence of a company, such as the IT department.

Materials produced by cybersecurity vendors and firms are usually the simplest way to garner tactical threat intelligence. Look for information on attack vectors, tools, and infrastructure that threat groups are using, including specific insights into what vulnerabilities are being targeted, what exploits threat groups are leveraging, and what strategies they are using to avoid detection.

Tactical intelligence should be utilized for making improvements to existing cybersecurity controls and to improve incident response

Operational: Intelligence about specific campaigns, events and attacks that allow for unique insight to help incident response teams better understand particular attacks. 

Operational threat intelligence (also referred to as technical threat intelligence) includes technical information — like what attack vector is utilized, what network vulnerabilities are being exploited, or what command and control domains are being used. Technical knowledge is usually extracted from threat data feeds, which often centre on a single indicator type, such as malware hashes for example.

Taking Care of Your Business 

For a company with just one or two analysts or limited IT resources, the best place to start is researching threat groups or threat actors specific to your industry. For instance, Hidden Cobra (also known as Lazarus Group and the Guardians of the Peace) is a North Korean hacking group that targets organizations with valuable intellectual property like aerospace, critical infrastructure and financial organizations. The Gorgon Group is based in Pakistan, often targeting government agencies in North American and the United Kingdom. [ii] APT 19 is a threat group based in China that has targeted pharmaceutical, high-tech and telecommunications companies.[iii] There are many more, this is just a small sampling.

Cyber adversaries are grouped into sets of similar intrusion activity and tracked using a common name in the cyber community – for example the above mentioned, APT 19, Hidden Cobra or The Gorgon Group. Analysts track cyber activities using a variety of analytical methods and categorize it under terms such as threat actors (individuals), threat groups, intrusion sets and intrusion campaigns. 

Corporations, like our partners FireEye and McAfee, often publish information about threat groups. Check out this FireEye link which lists the behaviours of advanced persistent threat groups as an example of the sort of information that you need to know to protect yourself. Staying abreast of who is currently targeting your industry and how they are targeting your industry can help you to protect your organization.

Taking the information and making it actionable:

  • Compile the knowledge gained. At the very least create a strategic threat intelligence report to circulate amongst shareholders
  • Give it to your defenders (whoever is in charge of your cybersecurity). For instance, let your cyber team (or person) know about the specific Registry run key that a threat group has used. Also, that they should be monitoring for new or unfamiliar run keys in the Registry that aren't expected.
  • Often, the threat actors’ way in is through socially engineered phishing or whaling schemes, so educating employees about what to look for, focusing on the specific ways the groups targeting your industry are getting in, is vital.
  • Start exploring specific detection and mitigation techniques (blog two of this series will examine these topics).

Final Thoughts

Cyber threat intelligence benefits any sized business and is not merely exclusive to expert analysts. Start with a focused approach by gathering threat intelligence about active groups known to target your industry. Identifying the threat group's behaviours helps you inform your IT person or team about how best to detect the threat group or what safeguards should be put in place. Appropriate protection and quick detection help stop, or at least mitigate risk. If you have the resources, the best plan is to partner with cybersecurity experts who can properly asses your network vulnerabilities and who are familiar with industry-specific security concerns.

 



[iii] https://www.fireeye.com/current-threats/apt-groups.html#apt19 

Image Source:

https://pixabay.com/illustrations/security-computer-science-computers-2337429/

 

‹ Back