Key Insights from Secureworks’ 2017 Threat Intelligence SummitsTo provide valuable insights into how the threat landscape evolves, we held Threat Intelligence Summits where our experts shared the latest actionable intelligence to help organizations prepare for what’s ahead By: Secureworks
Threat intelligence is more than just threat indicators or data points without context – it is actionable information that can guide security strategy and alert organizations to ongoing and emerging threats.
Understanding how threat intelligence can empower your organization is critical, and was the subject of our recent Threat Intelligence Summits in Atlanta and London. The events were a chance for Secureworks® experts and event attendees to discuss real-world examples of how threat actors are targeting their victims and how to better detect, prevent and respond to security events.
Doing any of those three – detection, prevention and response – effectively starts with visibility of the threat landscape, and knowing more about current and emerging trends. For example, a low barrier of entry and ease of execution has led to cybercriminals gravitating towards ransomware schemes. Secureworks Counter Threat Unit™ researchers observed nearly 200 new, named ransomware variants in 2016, up from 90 during the prior year. In this case, knowledge of the upsurge in attacks should cause organizations to review their backup strategies and incident response plan for such incidents, particularly in light of the WCry (WannaCry) campaign.
Threat intelligence however is about much more than tracking malware growth. It is also about observing and monitoring the tactics of cyber adversaries, including watching what they do once they are inside a network and using that information to close security holes. Real-world incidents have taught us that poor visibility and acting too quickly can lead to failures in incident response. Catching a compromise requires security teams to understand the entirety of the organization’s digital estate. Limiting a responder’s visibility of the network gives evicted threat actors the advantage of leveraging entry points that are unknown to or not well understood by network defenders. In addition, attempt to evict an attacker too quickly and you risk not understanding the full extent of a compromise, leading to threat actors potentially retaining their access within the environment and raising the cost of eventually removing them.
This is particularly important as the ecosystem of employees, contractors and partners accessing your network and data grows more complex. The more third parties that have access, the broader the potential threat landscape for your organization. Preventing attackers from using these third parties as steppingstones into your organization requires developing a smart vendor management program with coordination from the procurement, legal, IT and business sides of your organization that effectively evaluates vendor-related security risks and monitors vendor compliance with your security needs.
Past failures can be instructive. In some cases, Secureworks has seen evidence of recommendations going unheeded years after an incident. This leaves doors open for attackers. Patching security vulnerabilities, access control management, hardening Active Directory and privileged accounts, and implementing robust password policies are all critical for continuously keeping attackers out of your environment.
The key to all of this however is understanding previous and current adversary behaviors - and using this understanding to anticipate what is likely to happen next. Weaving this knowledge into cybersecurity defenses is what separates strong security programs from weak ones. For threat intelligence to be useful, security teams must combine this visibility with contextual information that enables them to determine what threats are relevant to their organization and how best to respond.
At Secureworks, we make this our focus, and harness not only our technology and researchers, but also the visibility provided by protecting a global network of clients to do so – making our Threat Intelligences services truly intelligent, and enabling clients to respond to threats more quickly and effectively. At these summits, we were able to share the lessons mentioned above, and encourage attendees to begin thinking about how intelligence can bolster their defenses. Wisdom is the proper application of information, and correctly applying threat intelligence can be the difference between stopping an attack and penning a data breach notification letter.