We all know that cybersecurity is an ongoing arms race and that threats are growing in size and sophistication all the time. But many security professionals aren’t aware of the true scale of the potential risks, and in some cases their organisations can be under severe threat without them even realising.
Hackers, or groups of hackers, operating for their own personal gain are less of a concern when compared to the emerging menace of Advanced Persistent Threats (APTs). These highly advanced attacks are sometimes even state-sponsored and attack specific businesses through targeted methods, often for political or ideological reasons. The methodologies behind these attacks are at the cutting edge of cyber crime and often carry their own unique hallmark, such as sequel injections or ‘masquerading’ - inserting resident malware into systems through phishing.
An advanced persistent threat (APT) uses continuous and covert hacking techniques to gain access to a system and remain inside for an extended period of time. It is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected. Rather than trying to damage the network, the goal of an APT is to steal valuable data to use against the target organisation.
Because the motives behind APTs reach far beyond IT, these attacks are very different from what’s gone before. This means not all security professionals have the knowledge or skill-set to pick up on these attacks, or to work out where the vulnerable points are within their applications or infrastructure. At the same time, many managers and decision makers take a ‘See No Evil, Hear No Evil, Speak No Evil’ approach - where either they don’t believe there’s a threat; don’t deal with problems when they’re highlighted; or don’t want to highlight them for fear of causing panic.
But whatever the circumstances, these APTs must be addressed and it’s clear that a different security mindset is required in order to do so. That mindset should ideally be guided by Cyber Threat Intelligence (CTI).
Closing the gaps with CTI
In short, Cyber Threat Intelligence (CTI) tools process threat information and deliver insights on those threats, within the context of how it could affect a specific organisation. It assesses the nature of a threat, how relevant it is to the organisation based on its profile and type of operations, along with the areas the threat would most likely target.
Based on this information, security practitioners can then redirect their focus and resources to the areas most likely to be attacked. They can constantly adjust this over time as threat priorities and motivations change.
An excellent (and very current) example of how this plays out in practice can be found within the pharmaceuticals industry. All over the world, there are pharma organisations working around the clock to create a vaccine for COVID-19. The intellectual property involved in vaccine research and development could therefore be immensely valuable to rival companies in other countries who want to get there first, or state-sponsored hackers motivated by geopolitical concerns.
CTI can then take into consideration where that information is stored within an organisation’s system, the protections that are already in place around it, who the most likely attackers who would want to target them are and how they would be likely to do it. The pharma company can then respond by strengthening security provision in the right places at the right time, to proactively defend against threats based on a combination of human and machine knowledge.
Beyond cyber threat hunting
Most current CTI operations revolve around ‘cyber threat hunting’. This basically assumes a compromise has occurred and involves scouring the network for traces of it. This method can often uncover threats that have already infiltrated a network and are laying dormant so they can strike at the most opportune time. Proper monitoring systems, combined with searches on the dark web to identify any weak links or exploited areas, are key to enabling this vital work.
When fighting APTs however, it’s important to take a much more strategic view that looks both inside and outside the purview of a security team. Security assessments for training and awareness can help organisations identify key individuals and assets that could be targeted, with the likelihood of the threat striking them. This requires a shift in philosophy away from one that’s technically focused, to instead ensure the link between real risks and real actions is more data-driven - enabling you to mitigate them more effectively.
Ultimately, CTI adds an element of logic to the process of threat assessment and protection. Firstly, the existence of an attack (or likely one) can be identified. Secondly, its relevance to the specific organisation can be qualified and quantified. And thirdly, measures can be put in place in the right places in order to maximise the return on security spend and resources. At the end of that journey, organisations should feel confident that they’re strongly protected against the threats most likely to impact their business and operations.