Managing threat intelligence in an increasingly challenging landscape

He used the recent WannaCry malware to explain how an organization can leverage threat intelligence to address the attack.

By using the collected threat intelligence, an organization analyzes the attack vector, affected systems and impact of WannaCry, and then based on the analysis result, responds at the tactical, operational and strategic levels.

On the tactical side, the organization checks with security vendors to see if the particular IOC or malware signature has been deployed on perimeter defense devices or endpoints, as well as arranges security patches on end-of-service (EOS) products.

On the operational side, the organization alerts internal email users of the attack, performs offline backup for important data, and arranges for the incident response team to get ready to prevent further spread of the malware.

On the strategic side, the organization has to consider whether there is the need to review its security patching policy, offline backup strategy, the risk of using EOS software, and prepare budgeting and action plans, if necessary.

Cyber intelligence sharing platforms

To help companies address cyber threats, security vendors, public or government sectors have rolled out various threat intelligence sharing platforms.

In Hong Kong, the Cyber Intelligence Sharing Platform (CISP) was announced by Hong Kong Monetary Authority (HKMA) last May.

CISP is one of the pillars of Cybersecurity Fortification Initiative (CFI) for the banking system. It is a local intelligence and information sharing platform among banks. The platform is developed and operated by the Hong Kong Applied Science and Technology Research Institute (ASTRI), under the commission of the Hong Kong Association of Banks (HKAB).

According to the HKMA spokesperson, the first version of CISP was available last December with access open to all the licensed banks and the Hong Kong Police.

Based on the Structured Threat Information Expression (STIX) standard, cybersecurity intelligence from commercial and public-domains will be shared in the CISP. ASTRI will also provide cybersecurity intelligence from Chinese-language sources, and analysis and daily reports. Relevant guidelines, procedures and requirements on governing the onboarding, authentication, security and use of the CISP have jointly been developed by HKAB and ASTRI.

Threat intelligence supported by machine learning

More enterprises use external threat intelligence to enhance their decision making. Yet, they face challenges in doing so mainly due to the rising data volumes and skills shortage problems. Machine learning can work alongside with security teams to implement threat intelligence at the tactical and operational levels.

“There are too many threat intelligence feeds. Human beings can’t read every security blog every day. Another problem is insufficiency in skilled security analysts,” said Ron Williams (pictured, right), IBM’s chief architect of infrastructure security in an interview with Computerworld Hong Kong.

“Companies need data that really help them to address risks in an efficient way, not simply educating them better about security,” he added.

He pointed out that machine learning makes the discovery and analysis of threat intelligence automatic and actionable, enabling companies to reduce security risks while addressing the skills gap problem.