Introduction:

Your Threat Intelligence is where the scariest things in the world live. The definition of threat intelligence is “the analysis of intelligence data that may indicate a possible threat to an entity.” In other words, it’s about identifying and understanding what could be bad for us and how to protect ourselves from it. But at times, we can’t stop fearing about such things even when we’re well prepared for them. The mind plays tricks on us and makes it seem like our precautions are not enough or that these things will happen anyway because they always do. This is where resilience comes in: resilience means the ability to adapt which people use by facing their fears with hope and confidence despite all odds against them.

What is Threat Intelligence?

Threat Intelligence is information on current and future security risks and threats, their sources, the impact they can have, how they could be avoided or mitigated. It is critical to understand that Threat Intelligence is not just a list of publicly available information. It requires thorough analysis of data, methods and tools to predict and prevent potential attacks.

The Roadmap

First let’s start with understanding the basics behind intelligence gathering and analysis done by Threat Intelligence Companies:

Knowledge is power; information is precious (informational superiority). Information superiority doesn’t mean having more data, but having faster access to better quality data. This can be achieved by collecting data from a variety of sources (open sources, classified systems) in bulk at high speed using automation software . Analysis of the collected data should be done by a highly trained team of analysts . The identified threats should be conveyed to the closed source teams (cybersecurity, internal investigations) for further action.

Basic Information Gathering done by Threat Intelligence Companies

Information gathering is all about finding relevant pieces of information you need. The key term here is “relevant”. You can’t gather everything, but you can gather many things that are relevant to your area of interest. For example, it’s not useful to collect intel on how the Middle East is doing unless your area of interest is the Middle East. In other words, if your business is technology and you have competitors in South America and Asia Pacific regions then you should focus on those areas first (core competencies).

Basic Threat Hunting

Threat Hunting is the process of identifying and dealing with possible threats and vulnerabilities. Usually, the best candidates for threat hunting are companies that are short on budget, such as small businesses as it can be done by a single person with no extra cost. To identify potential threats you need to perform internal reconnaissance . It means that you should figure out what your company owns (assets) and what your company does (activities). Based on these answers you will be able to identify potential threat vectors . For example, if our company builds websites then we have domains and hosting servers as assets. Our activities include but are not limited to software development, network administration and 3rd party service management. Based on this information we need to assess our assets for potential vulnerabilities. The first step in the process is to get all of the assets and their configurations from various sources (housekeeping systems, log files, configuration). Next step is to get the network diagrams . This will help us figure out how all of these things work together.

Threat Hunting Process

Let’s break it down into a more concrete example: We are an international IT company working with clients from Europe and Asia Pacific regions. As a central business unit (CBS) we have subsidiaries in different countries: Japan, North America, Russia and South America. All applications that we build have the same design and functionality.

Conclusion:

Based on the analysis it was determined that our clients are doing business in a certain way (formal business processes). Each country has its own ways to do business. Therefore, we need to factor in the cultural differences. For example, Japanese clients like banking because they handle large amounts of money while Russians like gambling and betting. Based on this knowledge we could better understand how our clients communicate with us and what kind of information they want to share. Also, some of the software systems that we offer customers support different currencies depending on their location. Based on the above information we can start threat hunting and establish risk mitigation strategies for different countries.