Incidents of ransomware have been increasing and evolving steadily for years as financially motivated adversaries shift tactics when one is no longer profitable. Unfortunately, many organizations haven’t been able to adapt their security operations to keep up. Back in 2019, 60% of organizations told ESG that they experienced a ransomware attack that year, with 29% reporting that attacks happened at least on a weekly basis. The following year, Gartner stated that 27% of malware incidents reported in 2020 could be attributed to ransomware. 

Who knows what the final tally will be in 2021? But recent high-profile attacks that impacted fuel supplies on the East Coast, threatened meat distribution, and targeted transportation systems and financial services providers have made ransomware a mainstream topic of concern. Consumer confidence has been shaken and organizations are wondering how to protect themselves and their customers when these attacks happen. What’s needed is a deeper understanding of adversaries and their tactics, techniques and procedures (TTPs), so you can determine what is relevant to your organization and how to mitigate risk.

A cornerstone to any security operation is a threat intelligence program that provides better intelligence across the threat spectrum from known to unknown attacks, and the ability to leverage this intelligence for all the systems and analysts who need it. This intelligence must include internal data, events and telemetry, supplemented with external data from a diversity of sources including commercial vendors, open sources, ISACs, CERTs, government cyber organizations and other sharing communities. 

To deal with this complexity, Threat Intelligence Platforms (TIPs) have risen in popularity. The first function of a TIP is to store and manage threat information no matter where it comes from. The second function is to correlate and contextualize it by prioritizing the small fraction of relevant information to turn it into useful intelligence. Third, the intelligence must be shared with downstream systems that use it for post-compromise detection, preemptive blocking, and patch prioritization. Finally, TIPs may include analysis and visualization tools that assist various user groups, including SOC analysts, incident responders and threat hunters, by making it easier to share intelligence and collaborate.

So how do you get started with a threat intelligence program?

Using open data sources and tools like MISP, TheHIVE and Cortex is one way to get started with threat intelligence, building and testing the processes required and demonstrating what it can do for your organization. But keep in mind the soft costs of coding and development time required with open source tools, and the likelihood that you’ll end up with a single person in the organization who develops the institutional knowledge and domain expertise. Should that person leave, the program will fail which introduces more costs and risks.

Whether you go through this stage or jump straight to evaluating commercial approaches, keep in mind that most threat intelligence programs will cost in the range of $500,000 – $2 million per year for an effective capability, including people and new systems, for example threat intel analysts, a TIP and intelligence sources. However, given reports of ransomware demands and if you consider a recent report that estimates the average cost of a data breach at $3.86 million with mega breaches (50 million records or more stolen) reaching $392 million, a threat intelligence program that prevents even a single breach each year will pay for itself. 

Unfortunately, this can be difficult to demonstrate when making the case for budget. Unless your organization is suffering data breaches constantly, you are unlikely to have any hard data to calculate an ROI. Instead, one approach is to track your organization’s ability to detect compromises and determine which of those were exclusively detected with intelligence from the threat intelligence program. One large global technology company was able to attribute over 1,500 compromises per annum to their intel program using this method. In the context of their overall compromise detection costs from security tools, incident response, threat hunting and alert triage, they could show a strong ROI for their threat intelligence program.

Each of these use cases, as well as others including threat intelligence management, vulnerability management and accelerated prevention and detection, present their own ROI areas. These include increased staff efficiency, improved collaboration, faster patching of prioritized vulnerabilities, reduced attacker dwell time and faster time to respond.

A threat intelligence program is an essential component to any organization’s quest to overcome threats as they evolve and emerge. Now’s the time to get started and if you already have a program in place, there is always room for improvement and optimization for your top use cases.

In my next blog, I’ll discuss the foundational use case for a TIP – threat intelligence management – including the role of strategic, operational and tactical intelligence and ROI areas and metrics.