Connecting the dots: how to tie threat path intelligence to actionable choices

Threat path intelligence is analyzing and assessing threat information in relation to your business, and preparing a suitable response or taking proactive protective measures. Given that these days it’s no longer a matter of if, it’s the matter of when you will be attacked, monitoring and tracking threat intelligence can be vital to saving your business.

In this post, I’d like to discuss how we can take pieces of threat information, and analyze them in order to make actionable choices in order to protect the business.

There are a few basic steps to finding cyber threat information, analyzing it and creating an action plan, and the process should be incorporated into the everyday operational processes. Lets break them out and discuss each step in more detail using an example.

Identify

In order to uncover intelligence information you first need to be aware of it. There are plenty of websites that report on cyber security information, as well as services that can be purchased to provide streamlined information. Tap into some of these resources; they provide lots of background and technical information. In order to simplify the process for myself, I pulled my sources into a portal, which you can see here: www.securetelligence.com.

So, let’s use this example: “NTP Servers Exposed to Long Distance Wireless Attacks”, SecurityWeek. This story covers a basic flaw in Time protocol servers that allows hackers to change the time in your business. This could have critical consequences if you have “timed based” processes or applications (which most organizations do).

Research

After finding a piece of information you should check to make sure it’s legit. A simple google search should show if other security companies or analysts are discussing the issue and its potential impact.

Following a Google search I found a PowerPoint which explained the exact problem and exploit: Time is on my side by Yuwei Zheng & Haoqi Shan.

Analyze

Once you have enough pieces of information gathered, you need to review each piece with two objectives in mind: how can it help me protect my organization from the cyber threat, and how can it help me to explain the threat to the business.

Take Action

Next you need to formulate a plan of attack on how to deal with the cyber threat. This will include uncovering the size of your potential impact and how to mitigate or contain the threat. You should also determine the life span of the threat: is a short term hacking campaign or a long term malware campaign.

In our example the next step would be to perform a quick asset inventory scan of the NTP servers to determine which ones were version 4 (the affected version). Then review the firewalls rules to ensure that communication paths were locked down and any unnecessary paths to these servers were removed.

Recover

After taking the appropriate action, there may be circumstances where you will need to remove the protective layers and mitigation actions, such as unblocking a communication path through your firewall, in order to facilitate legitimate business.

In or example since our NTP v4 server supports a critical app, we should add in additional security measures, rather than remove the mitigation efforts.

Evaluate

Once the cyber threat and its corresponding action items and recovery have been completed, you need to assess the situation again from top to bottom to determine gaps or inefficiencies. This step may include technology, processes, people, funding, etc.

In our example the outcome of the evaluation was to shift dependence on NTP v4 to something more secure.

In the above example we were able to take cyber threat information and correctly analyze it to make smart decisions for our business. This is Threat Path Intelligence, and it should be added into your information security program. Threats evolve and are released on an hourly basis, your business must do everything not fall behind.