threat intelligence - ncc group · introduction threat intelligence: a maturing defence...

Threat IntelligenceBenefits for the enterprise

2 Threat Intelligence Threat Intelligence©NCC Group 2015All rights reserved. 3

Contents

Introduction

Threat intelligence: a maturing defence differentiator

Understanding the types of threat intelligence: from the generic to the specific

Deriving value from threat intelligence

3.1 The value of threat intelligence

3.2 Threat intelligence insights

3.3 Extracting the benefits and understanding the value

Conclusion

2 All rights reserved. Threat Intelligence

It seems not a week goes by without a cyber security story making headlines. It might be regarding a major organisation suffering a data breach, the discovery of a new critical software vulnerability or details of a new campaign being waged by a sophisticated threat actor. Organisations of all shapes and sizes are increasingly becoming targets for miscreants and while attacks are generally more sophisticated, even the trivial ones can cause damage to share price and have a serious impact on the bottom line.

Yet despite this, risk awareness and understanding of the problem is still poor at board level and businesses need to recognise that they need to be more proactive in their approach to cyber risk minimisation and mitigation.

Ignorance is negligence.

Assuming it is possible to build an impenetrable perimeter is no longer a viable strategy. Instead, a mature governance and risk strategy must be mixed with a proactive approach that ensures resilience, layered defences, protective monitoring and acknowledgement that some attacks will be successful. Everything must be joined up, from risk and impact minimisation to detection and response.

Each organisation’s security strategy will be unique to its risk appetite, attributes and characteristics, but one thing that remains constant is the need for threat intelligence to inform it.

Only through threat intelligence can organisations fully understand the risks, threat actors and the capabilities they face day-to-day and year-to-year. By understanding these things an organisation is able to have informed views on both resource allocation and the appropriate defensive actions. Without it an organisation essentially has its eyes closed.

This paper looks at the benefits of threat intelligence to the enterprise, and why it is becoming a much sought after tool.

Threat Intelligence©NCC Group 2015 3

Threat Intelligence©NCC Group 2015 54 All rights reserved. Threat Intelligence

The increasing sophistication of cyber attacks has led to the threat intelligence market maturing as it moves from its traditional focus of government and military, to something that is consumed by a much wider group.

While governments will always have certain unique capabilities due to their signals, human and other unique intelligence gathering apparatus, private threat intelligence companies are increasingly demonstrating an ability to collect, analyse and publish a rich set of insights that enterprise organisations can make use of to inform cyber strategy, resource allocation and defensive actions. These private sector companies are able to provide significant value to their customers free from certain constraints that governments face when interacting with the private sector.

When it comes to threat intelligence the private sector’s ability has been built, in no small part, by mirroring government-like capabilities where possible, coupled with an ability to work with affected first party organisations in close partnership to fill in any blanks. In developing these close working relationships, private threat intelligence companies are able to collect, aggregate, analyse, study and disseminate information on a range of threats allowing private enterprise customers to make informed decisions and responses at strategic, tactical and operational levels.

Threat intelligence: a maturing defence differentiator

Today threat intelligence is increasingly used by enterprises to inform risk decisions and also to influence or direct them tactically and operationally in response to a range of threats.

Threat Intelligence©NCC Group 2015 7All rights reserved. Threat Intelligence6

Understanding the types of threat intelligence: from generic to the specific

For organisations looking to consume threat intelligence it is useful to understand the types of intelligence that are available today and how it is collected and produced. This knowledge is important in order to understand the intended audiences, how it will typically be consumed and what benefits can be derived by the enterprise that is consuming it.

Threat Intelligence Type Collection/Production Method

Geopolitical environment

Media monitoring

Human intelligence

Open Internet monitoring

Darkweb monitoring

Private group infiltrationand monitoring

Cyber incident response

Malware analysis

Sensor-based network monitoring

Host technical analysis

Estate protective monitoring

Geopolitical Intelligence

Analysis and summary of threats related to or originating from certain geographies or political alignments. The target of the threat may be organisations operating in said geography, doing trade with it or be otherwise of interest to threat actors because of activities associated with said geographical or political alignment.

Human intelligence


Darkweb monitoring



Malware analysis

Sensor-basednetwork monitoring



Threat Actor Intelligence

Analysis of threat actors, their capabilities, previous targets, motivators, goals, successes, techniques, procedures, observables and potential future targets or similar criteria.


Understanding the types of threat intelligence: from generic to the specific

Threat Intelligence Type Collection/Production Method Threat Intelligence Type Collection/Production Method

Human intelligence


Darkweb monitoring



Malware analysis




Industry intelligence sharing

Campaign Intelligence

Analysis of previous, ongoing or planned campaigns i.e. acts intended to impact a target. Target information may be as broad as a sector or as specific as an organisation. Threat actor details including techniques and planned procedures can range from highly specific to very broad depending on the quality and specificity of the source and type of threat intelligence.

Human intelligence

Open Internet monitoring(i.e. social media)

Darkweb monitoring


Hunter teams




Botnet monitoring


Incident Intelligence

Indicators or identification of a specific incident that previously or currently impacts an organisation. Incidents may be current or past and include targeting, attempted breaches, breaches, availability degradation attempts, integrity impacting events and similar.

Human intelligence


Darkweb monitoring



Malware analysis





Technical Capability Intelligence

Analysis of technical capabilities of one or more threat actors allowing the enterprise to understandif they should develop appropriate resilience strategies or have tactical or operational short term responses.

Human intelligence

Open Internet monitoring(i.e. social media)

Darkweb monitoring







Stolen Data Intelligence

Indicators or identificationthat data belonging to, or originating from or otherwise impacting a specific organisation is in the possession of a third party or has been published in either a public or private forum.

Human intelligence


Malicious code analysis





Indicators of Compromise (IoC) Intelligence

Typically machine signaturesor other technical indicators which aid in the proactive and reactive defence of an estate.


The value of threat intelligence For threat intelligence to have a business value to an enterprise it needs to be usable and this will depend on the seniority of the audience consuming it, as well as the specificity of the threat intelligence in question.

Suffice to say an organisation that does not have a robust corporate governance, risk management capability, cyber resilience strategy and anti-fraud program in place, will likely not be able to action any intelligence it receives on its own. As such the first step to being able to derive value from threat intelligence is to be able to put it to good use - merely consuming threat intelligence for consumption’s sake without being able to further contextualise it will result in organisations gaining little, if anything.

Threat intelligence insights The insights that threat intelligence can provide are described in the table that follows. By understanding the value of such intelligence and the types of insights it can provide, enterprises can extract the maximum value during their strategic, tactical and operational activities.

Application of threat intelligence

How threat intelligence can facilitate

Insight into threats and associated risk faced by the enterprise

• Provides understanding as to the wider threat landscape faced by an enterprise from a business, people and technology perspective, both now and emerging.

• Intended to inform strategic and operational decisions along with responses at all levels within the business.

• Provides insight into the risk of doing business in or with certain geographies, sectors or partners.

• Provides insight as to who the likely threat actors are-their techniques, approaches, capabilities and motivators.

• Highlight specific things of interest for specific threat actors either internal or external in origination.

General threat landscape and horizon understanding

• Provides understanding as to the wider threat landscape faced by the enterprise’s business, people and technology both now and emerging.

• Intended to inform strategic, tactical and operational decisions along with responses at all levels within the business.

• Provides an aggregated view of the threat landscape by geography, sector and size from a business, people and technology perspective.

• Provides deep insight into technical capabilities, trends and areas of exposure.

• Provides deep insight into means of successful defence and mitigation.

Internet exposure understanding

• Provides visibility of external exposure to a variety of techniques or procedures used by threat actors at personnel or enterprise level.

• Examples include open source intelligence gathering techniques against staff, physical premises and technical infrastructure.

• Summary of information available on the Internet about a specific individual, physical location, the wider enterprise or its supply chain that may facilitate targeting.

• This understanding can then inform risk management or resilience strategies, tactical decision or operational responses to minimise risk to the individual or the enterprise (see asset and user protection later in this table).

All rights reserved. Threat Intelligence10

Deriving value from threat intelligence


Application of threat intelligence

How threat intelligence can facilitate

Breach identification

• Identification that a breach has occurred earlier than would otherwise have occurred allowing impact minimisation and a breach response, thus improving resilience.

• Identification that a breach has occurred and potentially by whom and what if any access was gained, integrity degraded or data stolen before other means of notification or identification.

• Supplies indicators of compromise which improve protective monitoring and operational defensive responses.

• Allows understanding of exposure and management of breach situations that would otherwise not be known informing strategic, tactical and operational responses.

Breach prevention

• Identification of new threats allowing a proactive response resulting in improved resilience against initial compromise.

• Provides insight into threat actors, their targets, tactics, techniques, procedures and their capabilities.

• Identifies evolving or emerging campaigns that might target the consumer, allowing a considered response at business and operational level to minimise risk while ensuring business continuity.

Fraud and theft minimisation

• Identification of the causes, actors and targets of theft or fraud using technology as a tool.

• Provides insight into threat actors, their targets, tactics, techniques, procedures and their capabilities.

• Identifies target organisations (first or second party) or users that will, would or could facilitate in the threat actors’ missions.

Asset protection and risk minimisation

• Identification of assets which should have their protection profiles changed due to an evolving threat.

• Identification of assets subject to an increased threat.

• Insight into threat actors, their targets, tactics, techniques, procedures and their capabilities.

• Insight into detection and other protective measures which can be employed.

User protection and risk minimisation

• Identification of users who should have their protection profiles changed due to an evolving threat.

• Identification of users subject to an increased threat.

• Insight into threat actors, their targets, tactics, techniques, procedures and their capabilities.

• Insight into detection and other protective measures which can be employed.

Using threat intelligence in the enterprise: deriving value

Extracting the benefits and understanding the value

For an enterprise, gaining an early understanding on what they may face and when and what the likely impact may be can yield financial benefits. These financial benefits are realised in a number of ways but will normally manifest themselves through:

• Increased confidence in responding with agility

to new opportunities while managing risk.

• Investment protection and loss/disruption minimisation.

• Reduced likelihood of regulatory or compliance related punitive costs due to reduction in breach likelihood, impact and length and demonstration of good governance and risk management.

• Minimising levels of capital and operational spend on unnecessary services, staff and technology.

• Cost management around risk offsetting such as insurance.

However, these benefits don’t come for free. As we have already stated, if an organisation does not have a robust corporate governance, risk management capability and cyber resilience strategy in place it likely won’t be able to action any intelligence it receives. As such the first step to being able to derive value from threat intelligence is to be able to put it to good use. Merely consuming threat intelligence for consumption’s sake without being able to further contextualise and action will result in organisations gaining little if anything other than a tick in the box for having threat intelligence.

There is often a tendency to think of threat intelligence as an operational or tactical tool. However, the reality is that as the threats enterprises face become increasingly complex and blended it can be become an enabler.

As we have learnt in the loss minimisation space and in transactional decision systems, which are in part based on threat intelligence, prevention is far cheaper and operationally effective than cure. However, we have also learnt that the application of threat intelligence in risk decisions has to be balanced so as not to hinder or limit the business by creating friction unnecessarily due to poor judgement and responses to a perceived threat.

Over time it is likely that threat intelligence will go beyond just an enabler to increasingly something that yields a competitive advantage.

Threat Intelligence©NCC Group 2015 15All rights reserved. Threat Intelligence14

ConclusionThreat intelligence can be an invaluable tool to mature and maturing enterprise alike. However, in order to derive this value the organisation must be able to consume, interpret and respond effectively.

This is a maturing field with many potential sources providing different degrees of quality and value. It must also be remembered that threat intelligence can vary greatly, from the lowest level observable to the highest level indication of nonspecific potential threat to a general geography or sector. When planning your threat intelligence strategy, it is imperative that its role and function be understood in the wider context of the enterprise’s governance, risk management and cyber resilience strategies and tactics. Only by understanding its role in such contexts can enterprises gain the return on investment expected and better protect themselves from today’s continual and growing cyber threats.

At NCC Group, we are at the forefront of this market using a blend of technical, signals and human intelligence sources to provide clear, bespoke views of the current threats faced by our clients. We provide threat intelligence services that build confidence and develop an understanding of your current capabilities, along with the vulnerabilities you face with the goal of developing a cyber-resilient organisation.


+44 (0) 161 209 5324 [email protected] www.nccgroup.trust

For more information from NCC Group, please contact:

threat intelligence - ncc group · introduction threat intelligence: a maturing defence...

Documents