Every IT Security team needs access to some sort of Threat Intelligence (TI). It is an umbrella term for the collection of information and data on security risks and the threat actors behind them. Together, this information helps to prevent or limit incoming threats, and provides insights when mitigating an incident or event in Incident Response scenarios. As a deepening of the topic, External Threat Intelligence (ETI) mainly focusses on the combination of internal risk data with threat intelligence originating from outside of the organisation.
Different types of Threat Intelligence
There are four approaches to (External) Threat Intelligence: strategic, tactical, operational and technical.
- Strategic ETI: This is the kind of information that is generally less technical. It focusses on the broader insights of digital risks and the threat actors behind them. This approach also takes geopolitical, environmental, and organisational factors into account.
- Tactical ETI: This is the kind of intelligence that shows what methods threat actors employ to get to their intended goal. Do they work their way in via the supply chain? What data can they be after? It helps determine what to prioritise in terms of mitigation actions or active monitoring.
- Operational & Technical ETI: Operational and Technical Threat Intelligence share many similarities. They both deal with the types of attacks and their technical aspects. How does ransomware get into the systems and what does it affect? What kind of vulnerabilities or misconfigurations are abused more often? This helps determine the type of tools and infrastructure threat actors use, and how to proactively detect such attacks.
Attack surface management within the Threat Intelligence landscape
When detecting risks to your brand, there are generally two sides to take into consideration. On the one hand, there are risks and vulnerabilities within your own systems. These, you can manage, resolve, and mitigate to limit your organisation’s attack surface. Such risks are within your brand’s attack surface, such as misconfigurations in netblock settings, lacking email security, or expired SSL certificates.
On the other hand, there are threats being directed at your organisation from outside of your control. For example, phishing campaigns or copy-cat social media accounts which mislead or steal from your customers. These external risks also extend to the digital security of the third parties your organisation is connected to.
Automated Threat Intelligence
Naturally, combining the information and risk information from within your organisation with the external threat intelligence will provide IT Security teams with the best insights and context to manage digital risks.
The drivers for External Threat Intelligence can be put into three categories.
- Threat evolution
- Technological evolution
- Regulatory trends
These three factors all come together in your attack surface. That is why automating processes such as the asset discovery, vulnerability detection, and risk monitoring benefits both security practices, as well as strategic decision-making. This saves time and resources on an operational level, provides data for better informed governance, and keeps productivity high throughout the entire organisation.
Cybersprint as External Threat Intelligence provider
Independent research firm Forrester has conducted a study into the External Threat Intelligence Services. Their report of Q4 2020 provides an overview of the providers in the market, helping organisations choose the right service for their needs. Click here to read about the inclusion of Cybersprint in the report.