Importance of Cyber Threat Intelligence (CTI) feeds
As we all know cyber attackers are innovating faster with new techniques and our conventional security strategy for mitigating or eliminating the threats are not up to par. In particular, botnets, hacktivism and phishing techniques are widely used by attackers to perform DDoS attack or send spam to compromise our security in a simple manner than ever before.
Now a days, the concept of the elite/super attacker is an illusion, the fast-evolving genre of “script kiddies” have started to become a hacker with the second-hand knowledge of performing attacks against the known exploits. Thanks to the automated tools and codes available on the internet that make it possible for anyone with a will and desire to hack and succeed. Goal of these hackers could be well fall into one of the following categories,
- Disrupt the continuity of the business of target organisation
- Steal valuable data
- Take revenge on target organisation or
- For the sake of curiosity
As Sun Tzu put in the Art of War,
“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
It is important for any organisation to have a well-defined security strategy, processes, people and modern security tools to protect their information. But if you want to succeed in the cyber war, then it is critical to understand the hacking techniques used by attackers and the information on global threats.
Cyber Threat Intelligence (CTI) feeds gives you information on numerous security threats gathered from various cyber-crime activities happening around the world and from wide array of trusted and open sources. For leveling with this current cyber threat environment, organisations need CTI feed which provides valuable insights, detection and prevention technique to combat the threat factors such as botnets, malware, hacktivism, data leakage, credit card data theft, phishing, brand monitoring etc.
It’s difficult to know when, where and how an attack will take place without looking outside your organisation network. Global CTI feeds will assist you in providing insights about how an attack is happening, who is responsible for the attack. CTI feeds will either provide detecting techniques before an incident or providing with possible mitigation solutions during an attack. These threat feeds will provide you ability to develop critical a defensive security strategies.
CTI feed includes internal, community and external sources for threat feeds. Internal feeds include data collected from organization security tools like IDS/IPS, firewalls and antivirus etc. Community feeds include sharing of information between organizations in relevant sector and with common interest such as Information Sharing and Analysis Center (ISAC). External sources include threat feeds from public sources (unguaranteed source) like Anti-Malware Domains and paid private sources from various industry leading security vendors which is well organized and guaranteed.
Integrating CTI feeds with SIEM – Instead of using global CTI feeds as a standalone solution, organisations should integrate CTI feeds with their existing SIEM solution to allow faster detection and alerting on common infected IPs, URLs and domains. Combining local monitoring, internal and external threat feeds provides information about attacks and also provide incident response for mitigating attacks. SIEM matches the current threat data with past threat logs, past reviewed events and incidents and alert you or even provide defensive action with globally fed threat data. Even analyze threat data for source IPs and report or block them.
In my opinion, it is not possible for every organization to have resources that match the evolving threat environment. Cyber Threat Intelligence with globally CTI feed data comes in handy for an organisation to build or devise a safe and strategic security policy.