Where do You Stand on the Top Threat Intelligence Considerations?

The beginning of the year is always full of “bests and worsts” from the prior year, as well as predictions. These observations and insights can be fun, but they are usually just one person’s take. So, we decided to do something different. 

We conducted a community survey in January and invited visitors to our website to answer four questions. We then posed those same questions to a panel of cybersecurity industry experts during our January 28 Cybersocial webcast: “2020 Threat Intel Recap and Look Ahead.” Our own Jonathan Couch, Senior VP Strategy, moderated the discussion that included: Kurtis Minder, CEO, GroupSense, Justin Henkel, Director of Cyber Threat Intelligence, CME Group and Aylea Baldwin, Threat Intelligence Lead, Reddit. 

Here are the key survey findings and how our panelists weighed in.

Question 1: What was the most pervasive threat of 2020? 45.9% of survey respondents said Ransomware-as-a-Service (Raas), followed by Foreign State Actors (27%), Covid-19 Scams (24.3%) and Lateral Phishing (2.7%).

As an expert on ransomware support and negotiation, Kurtis notes that each of these categories are intertwined and connected – ransomware campaigns have been executed by foreign state actors, and Covid-19 has been leveraged as a hook for phishing emails which are frequently a delivery mechanism for ransomware. Kurtis also pointed out that, “Ransomware targets soft security industries and sectors that would have a high impact. Think schools or vaccine warehouses, especially in today’s time.” Defenders are always in an arms race with threat actors, but now more of their focus has shifted to incident response. There is a small list of basic things that most companies can do to reduce risk tremendously. 

From Justin’s perspective as a threat intel expert in the financial services industry, ransomware DDoS campaigns have been impacting the financial sector over the last six months. Understanding the threat actor’s playbook and sharing tactics, techniques and procedures (TTPs) as quickly as possible to accelerate response is a priority. This includes sharing with third parties and building maturity across your community of partners, company to company.

Given her work with a social news aggregator, Aylea shares that understanding the threat landscape and the role social media plays in threatening the electoral process has been a focus for companies such as Reddit in 2020 and into 2021, and is vital to addressing ransomware. They are always evolving their existing programs, including cyber threat intelligence (CTI) and threat hunting, to increase security efficiency and effectiveness.

The bottom line: Ransomware is pervasive. Understanding TTPs and threat actor motivations are critical to risk mitigation and maintaining the integrity of services.

Question 2: What was 2020’s breakout cyber threat intelligence trend? 46.9% said Machine Learning (ML)/Artificial Intelligence (AI) with Convergence and XDR tied for second (18.8% each), and SOAR closely behind (15.6%).

Our experts all agreed that ML/AI is a hot topic right now, but they have a few words of caution. Aylea has observed a tendency for users to believe that ML is “plug and play”, but it isn’t. There is a curve that goes with implementing ML solutions. By definition they get better over time, so keep that in mind. Aylea and her team consider ML a technology to help analysts optimize what they already do. Justin concurs that the value in technologies like ML/AI is to automate lower-level processes and enable analysts to focus their time on higher-level tasks. For example, using it to filter out noise and setup alerting so that an analyst can review the information and make decisions. Kurtis also cautions that AI is oversold and oversimplified and will never replace humans. One of the biggest challenges with using ML/AI is that much of the data being ingested is unstructured and conversational and you can’t just apply ML to that. You need an ingestion engine to normalize the data and it needs to be high fidelity data, in order to apply ML/AI and reap value. 

The bottom line: Over the next few years we’ll get a better feel for the right time and type of ML/AI to apply in certain situations. There are lots of efficiencies to be gained if ML/AI is approached in the right way and viewed through the lens of enabling humans.

Question 3: What’s “most vulnerable” in 2021? Responses here were fairly evenly split between Mobile/IoT (22.2%), SaaS/Cloud Based and Critical Infrastructure (19.4% each), Employee Error (16.7%), and Cybersecurity Skills Gap (13.9%), with Identity Data trailing (8.3%).

Here our experts agreed that the first three categories are all vulnerable and it is important for companies to build resilience in these areas. Employee error continues to be a huge area of vulnerability, and the distributed work environment and more connected devices exacerbate the challenge of maintaining employee education and awareness by creating new threat vectors. They also point out that region, culture and size impact a company’s maturity in enabling a distributed workforce securely and mitigating risk. 

The bottom line: Mobile/IoT and employee education present huge opportunities in 2021 to improve resilience. 

Question 4: Which CTI trends do you hope will accelerate in 2021? By far, Stronger Automation and Integration topped the responses (60%), followed by AI/Machine Learning (28.6%), Silo Reduction (5.7%), Other (5.7%). 

Aylea agrees with these results, stating, “Automation is also important to us in terms of scaling. A strong ability to automate things is great when dealing with huge amounts of data. It is different than machine learning though – we like to treat both of those separately.” From Kurtis’ perspective, the need to reduce silos is important so that all stakeholders get the cyber threat intelligence they need in a format that is easily consumable, particularly for departments like risk and fraud management that can often be left out of the loop. Dovetailing with this response, Justin reinforced the need for employee awareness and training across the entire organization to accelerate and keep pace with the latest campaigns and adversary techniques. 

The bottom line: Sharing usable threat intelligence in a timely and consumable fashion is going to be critical. This requires automation and breaking down siloes.

For more insights from these experts, watch the webinar on-demand.


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This