In the context of cybersecurity, threat intelligence refers to information about hostile actors and/or the threats that they pose; cyber-defenders who arm themselves with such information can often dramatically improve their chances of preventing a breach.
Of course, the concept of knowing your enemy is not knew – Sun Tzu speaks about its importance in The Art of War, written almost 2,500 years ago. But, in the case of cyberthreats, the relative value of threat intelligence can sometime be even greater than it might be in the realm of physical security; cyber-defenders are often overwhelmed with more alerts and issues than they can possibly address, and, as a result, forgo protecting against some significant dangers in order to shield against others that they believe pose a great threat. Without threat intelligence, cybersecurity pros often choose to address the vulnerabilities that in theory pose the greatest risks if exploited – an approach that may, at first glance, seem quite sensible, but which, in reality, often leads to severe problems as some group of attackers invariably chooses to focus its energy on techniques that may offer less of a potential reward, but also require far less effort to implement.Without threat intelligence, cybersecurity pros often choose to address the vulnerabilities that *only in theory* pose the greatest risks if exploited – an approach which often leads to severe problems. Click To Tweet
If those same cybersecurity professionals, however, arm themselves with real-time intelligence about what attackers are actually doing, the defenders can then prioritize addressing the risks that actually pose the greatest dangers, rather than those that do so only in theory. As such, threat intelligence enables cyber defenders to make better decisions on important matters – and to make those decisions faster – and lets them manage vulnerabilities far more efficiently and effectively than would otherwise be possible.
While robust threat intelligence offerings often include all sorts of detailed technical information about which specific vulnerabilities hackers are presently exploiting as well as what methods they are employing in order to do so, some aspects of threat intelligence are actually extremely simple – and yet can still provide significant security value.
One basic element of external threat intelligence, for example, is real time information about which external IP addresses are known to belong to machines and/or networks that have been compromised and commandeered by hackers for use in bot nets and of for other nefarious purposes. Large corporations typically have access to such data – and use it to both reduce exposure to attacks, for example by blocking inbound traffic from devices known to be compromised, as well as to reduce losses incurred due to financial fraud – for example by flagging any online purchases made from a “compromised IP address” as potential fraud requiring manual verification prior to fulfillment.
Small businesses, however, often lack even basic external threat intelligence. Unless they receive relevant information from some Managed Service Provider performing other services for them, they rarely subscribe to services that provide feeds of such data, and are far less likely than their larger counterparts to participate in any meaningful and relevant information sharing groups.
Such a situation presents a terrible irony – the businesses that need threat intelligence the most are the ones that get it the least. Not only do the majority of cyberattacks target small businesses, but attacks against small businesses are far more likely to be successful than those launched against any of the Fortune 500, and, the damage inflicted is often far more severe than when larger firms are hit; in fact, so relatively few small businesses have the spare resources needed in order to fully recover from the disruption, damage, and loss of customers that often accompany a severe breach, that some experts even estimate that the majority of small businesses that suffer a significant breach will completely fail and go bust within a year.Small businesses need threat intelligence the most, but they get it the least. And they suffer hacker attacks, data breaches, and sometimes complete failure, as a result. Click To Tweet
It is likely that many of the devastating cyberattacks that ultimately killed small businesses might have been prevented if the relevant defenders had had access to even a fraction of the threat intelligence information so commonly available to their counterparts at larger firms. I am personally familiar with more than one such case – including situations in which small businesses were compromised while in the process of patching – and a simple adjustment in the order of what systems were patched when might have prevented the entire breach.
As such, while the cost of threat intelligence can be significant, the cost of not having it can sometimes be much higher. Furthermore, technological advances have made it easier than ever for organizations with minimal human resources to leverage threat intelligence to improve security.
While it is true that individual small businesses may not be able to afford robust threat intelligence – the cumulative universe of small businesses certainly can. And, as the COVID-19 pandemic continues to force people to share more and more information electronically rather than in person, online exchanges and repositories are becoming increasingly powerful and popular – creating new opportunities for smaller businesses to share information, and to benefit from the world of threat intelligence more than they ever could in the past.
In a future piece I will explore the various types of threat intelligence – stay tuned.
This article is sponsored by CrowdSec, which recently released a free, open-source security engine for websites that allows businesses to identify and seamlessly share with one another information about risky devices attempting to connect – thereby improving security for the entire community of users.