2021 Threat Intelligence Top Actions

Add bookmark
Seth Adler
Seth Adler
01/12/2021

Our Threat Landscaping piece from October focused on how threat intelligence had changed since the onset of the pandemic. Our November piece on threat intelligence featured 5 questions CISOs were asking at that moment. 

Each piece focused on the fact that true threat intelligence involved collaboration with peers in industry, cross industry, with law enforcement and with regulatory bodies. It was understood that to call it “intelligence,” TI had to be a public/private community effort. 

On the eve of 2021, the SolarWinds attack took place. CISO minds will be focused all year long on the fallout. But it is clear now that the human intelligence about threat intelligence from the global CSHub community and showcased in 2020 was spot on.

That said, as written on Linkedin, “when concentration is magnified in one area, other areas don't get the same focus. With intense concentration US election cyber security, a supply chain attack within a software update took place. The Orion update from SolarWinds is currently inside of thousands of public and private institutions. Some have remediated the vulnerability. But Microsoft itself has noted in a statement that their investigation has “revealed attempted activities beyond just the presence of malicious SolarWinds code.” 

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

The Goal Is Actionable Insights

“Threat intelligence is a very broad water hose that could suffocate you. Get your threat intelligence customized for your industry vertical. If you are in banking, focus on banking threats. Everything else is nice to have. Don't ignore what's happening to hospitals but that can't be your core focus. It's just too much information. ‘Put the intelligence back into it,’ to be honest. At the very least, make sure that you have an industry mindset, and an industry understanding of the threats that are out there. Start with that and filter it down.”

Too much information does not provide intelligence. Filter to your core focus on your industry but retain a wide enough aperture to take actionable insights from other industries into account. 



Nation State vs. Rogue Malicious Actors 

“There are external threat actors trying to influence your business. So it’s very important to understand where your risks lie, where your threats lie. 

When conceiving of a rogue malicious actor who ultimately would like to secure ransome- global corporate enterprise must take internal risks and threat vulnerabilities. Those risks and vulnerabilities are most likely different when conceiving of the intentions of a malicious actor in the form of a nation state.

 

Don’t Lose Multifocal Cyber Security Vision

“To go out and do research on trends and tactics and things that are going on is important. And of course as we now all know empirically, looking for nation states and their methodologies or tactics, techniques and protocols is key. But you can't lose focus on what you need to know today- you also need to keep an eye on the ball. What are the phishing campaigns that are targeting your company or industry? What are the data loss opportunities for people to come in and steal your data? Threat intelligence needs to be actionable, it needs to be timely, and it needs to be pertinent to the day-to-day operations. 

Diving down the rabbit hole scurrying after Orion needs to be done. But not to the detriment of tried and true day to day cyber security operations. Rabbits have limited color perception to humans. Eye glasses help humans see better. Bifocals provide a second option of vision to traditional glasses. But the industry already had adapted to progressive lenses while consistently checking the rear view mirror to ensure a wide cyber landscape field of vision. But 2021 looks to be the year that the CISO becomes the human wearing progressive lenses in the seat of an autonomous vehicle with 29 cameras looking at all vectors.

 

Collaboration And Knowledge Sharing Are Imperative

“Collaborate, share information, network with your peers in industry and also cross industry. Don't be scared to share war stories that help other individuals so organizations can prevent that same thing happening. Threat intelligence isn’t one way.”

Working on a breach of its own, FireEye came across the SolarWinds Orion breach. They shared the information. At the time of this peace, we know that tens of thousands of private and public institutions are vulnerable. Knowledge sharing is what will help each company as well as the entire community.