We have heard and read a lot about National Intelligence agencies, Research and Analysis wing (R&AW or RAW), Intelligence bureau etc. The main function is to garner intelligence from within the country or from other countries and also execute counter-intelligence and counter-terrorism tasks.They gathers threat intelligence so it can understand which threats are most credible or imminent and allocate resources accordingly to guard against those attacks.We read in news papers that, as per intelligence reports there are chances of so and so terrorist attacks etc.
Few years back when I was working in SOC, I got a call from one of my colleague updating about a Microsoft windows vulnerability that will be made public in 2 days. Before vulnerability gets public, is there any way, where we could get these information? I was confused...!! How he came to know about it? Do we have Intelligence bureau here in our domain also?
With today’s large variety of incoming attacks, it could be extremely difficult to detect and analyze ever-changing threats, much less to turn collected data into insights that consistently identify the most dangerous threats and then act accordingly. This is where Security Intelligence feeds will help us. As per the definition, a threat intelligence service gathers raw data about emerging threats from several sources and then analyzes and filters that data to produce useable information in the form of management reports and data feeds for automated security control systems. A good example for this is SANS Internet storm center.
The most important feature of a Security Intelligent platform is its data feeds. These data feeds contains IP addresses, malicious domains/URLs, phishing URLs, malware hashes etc. Threat intelligent services provide real-time alerts along with daily, weekly, monthly and quarterly threat reports. Intelligence may include information about specific types of malware, emerging threats, and threat actors and their motives. We can configure our SIEM systems to accept feeds, and this will help in identifying compromised external systems and the security team can act accordingly. So, with the help of threat intelligence, we can defend against attacks before they are ever launched. By monitoring threat intelligence feeds for attacks against specific software, systems or industries, an enterprise can determine if it is using vulnerable software or systems and then deploy mitigations before an attack takes place. It will improve the efficiency of security staff in proactively blocking security incidents.
There are many security intelligence feeds available. IBM Security X-Force, CrowdStrike, Cyveillance, LookingGlass, Dell, FireEye, IID, LogRhythm, RSA, Symantec and Verisign.
There are other non profit organizations like ShadowServer Foundation which gathers intelligence on the darker side of the internet, comprised of volunteer security professionals from around the world). Another one is Anti-Phishing Working Group (APWG)- international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications companies. Team Cymru Research NFP is an Illinois non-profit and a US Federal 501(c)3 organization. They are a group of technologists passionate about making the Internet more secure and dedicated to that goal.
Internet Systems Consortium, Inc. (ISC) is also a public benefit 501(c)(3) corporation dedicated to supporting the infrastructure of the universally connected self-organizing Internet , and the autonomy of its participants by developing and maintaining core production-quality software, protocols, and operations.
Investing in great technology solves only part of the problem, and a combination of threat intelligence, risk management, and the best technical solutions will help not only reveal who is being targeted but also how and why.
Authored by Aju Nair