What to Look for in a Threat Intelligence Platform
Data protection and breach prevention have never been higher on the agenda. More and more IP assets and private details about customers, users, and employees are stored and transmitted online across multiple internal and external systems.
While that can be beneficial in many ways, this digital-driven environment has made it increasingly easy and lucrative for malicious outsiders to execute all kinds of sneaky attacks: advanced persistent threats, malware, phishing, and countless others. As a result, almost five million records are lost or stolen every day, and the cost of cybercrime worldwide is projected to rise to $6 trillion annually by 2021.
On the regulatory side, new laws are also putting additional pressure on corporates’ shoulders. For example, the General Data Protection Regulation (GDPR) which recently came into force requires companies to notify data breaches no later than 72 hours after discovery or pay hefty penalties for non-compliance.
That’s the cybersecurity landscape we live in. And it can be overwhelming for IT security professionals with limited resources to tackle everything coming their way. That’s why threat intelligence matters as it supports analysts to understand the nature and prominence of cyberattacks — looking at several parameters among which:
IPs and domain names
Let’s say you want to know more about a host. Which IP addresses are behind a given domain name? What’s the geographical distribution? Are other domain names using these same addresses? This information tells you how established a host might be, for instance, operating via a shared web hosting service or dedicated infrastructure and allowing you to anticipate the potential vulnerabilities of each approach. Knowing where hosted data is located is also essential to review what the corresponding legal implications might be regarding privacy, storage, and transmission.
How secure is a website? Should you and your employees feel comfortable sharing data there? Similarly, might prospective customers have concerns about using services that you may provide online? Analyzing a website to assess potential security risks such as the following ones is essential:
- Poorly written HTML source and outgoing links to malicious hosts and pages
- Weakly protected content management systems
- Content that may be harmful, e.g., extensions capable of running code
- Third-party service integrations requiring a lot of confidential data
- Other host configuration issues exploitable by hackers
Can you tell whether a hacker might be impersonating a host with a seemingly looking web page? It’s possible to authenticate the identity of a website and encrypt the information shared with SSL certificates, showing visitors whether a domain name is safe as per the “https://” in some displayed URLs and the “secure” label on the left of it. As part of a threat intelligence analysis, you can also monitor chains of SSL certificates, letting you know whether a host’s sequences of outgoing links and websites are protected against spoofing.
Malware attacks can lead to disastrous consequences for companies — e.g., data theft and infected or blocked systems. A good threat intelligence platform helps to stay on top of all publicly known malware threats by retrieving information from the major malware databases available on the Web in addition to gathering its own security intelligence. Externalizing this process can be very convenient and efficient for IT security specialists who no longer need to do this time-intensive task manually and can, as a result, focus their efforts on other critical security aspects.
Here is another valuable piece of information for IT analysts. WHOIS records give details about domain names including registration and expiration date. So why should you care? Well, scammers may try to fool victims by buying a domain name that looks similar to the one of an established organization. As such, you probably should be suspicious of names that are only a few weeks or months old. Additionally, WHOIS records show whether domain owners’ contact details are public — a sub-optimal practice since it tells hackers who potential easy targets might be.
Businesses use email extensively every day, making the medium an attractive source of confidential data for hackers as well as a vulnerability point that can significantly disrupt operations when exploited. That’s why you want to work with website owners who have done their bit securing email communications. Threat intelligence services enable you to follow best practices such as SPF and DMAC records configuration and check whether mail servers have been blacklisted because of spamming activities and other bad practices.
Is a host prone to single point of failure? It’s usually a good idea to decentralize name servers through DNS such that a website and its applications are still able to operate even if part of the system fails. Threat intelligence tools allow users to review resilience parameters and make recommendations about the best way to proceed — e.g., # of name servers, levels of distribution across networks and autonomous systems, A/AAAA record configuration, and whether various records and processes can be linked to the parent name server.
Considering today’s advanced malicious attacks and ever stringent regulations, understanding the nature of cyber threats, their risks, and implications has become a top priority. Threat intelligence platforms can help you run efficient threat assessments and provide insights about where to prioritize security efforts to safeguard your users, data, and systems.Read the other articles