Threat intelligence can feel like a firehose of data to security teams who are already struggling to keep their heads above water patching, fixing and hardening networks.
We like Gartner’s definition of threat intelligence, which is “evidence-based knowledge about existing or emerging hazards or menaces to assets.” Key Gartner factors to threat intelligence include:
- The context of an asset relative to the threat
- The mechanisms used by hackers to exploit a vulnerability
- Indicators of compromise
- The business implications of an asset being compromised.
If only all parts of that definition were universally adopted across all modern security programs, threat intelligence would be among the most powerful weapons in a defenders’ arsenal. It would allow security teams to go from reactive to proactive overnight.
One fresh approach to solving this challenge is a new category within External Attack Surface Management (EASM) called Exploit Intelligence. It fills the gap between threat intelligence and vulnerability management. It allows security teams to weigh heavily the probability of an attack and the attractiveness of a vulnerable asset when prioritizing what the most urgent mitigation efforts must be.
It’s a huge differentiator within the EASM space, one that solves the firehose problem. Here’s why exploit intelligence is a vital and needed step forward for EASM and security.
By the way, Exploit Intelligence is also the name of CyCognito’s latest iteration of its EASM platform, announced Thursday.
The Threat Intelligence Challenge
In theory, threat intelligence is a vital part of keeping networks safe, but in practice, threat intelligence isn’t always action-oriented advice. Instead, it is raw data gathered from a broad array of sources, ranging from cybersecurity researchers’ blogs, mainstream media reports and open-source and proprietary threat feeds.
There’s no doubt that the information is valuable, but the stream is deep, broad and fast-flowing. And therein lies the problem. The biggest challenge in operationalizing threat intelligence is figuring out what information (data feed) is pertinent to your organization, as well as determining how to act upon that information.
The Threat Intelligence Firehose
In order to understand which feeds are most relevant, you need foundational knowledge of which assets are present within your environment.
Mapping your company’s organizational structure is an essential first step. This allows you to understand what your external attack surface looks like to attackers, right down to every subsidiary, connected cloud resource and employee home router.
The next consideration is the external threat landscape. EASM platforms offer an outside-looking-in perspective on your attack surface from an adversary’s perspective. Gartner calls this “evidence-based knowledge about existing or emerging hazards or menaces to assets.” Data is culled via an automated reconnaissance process that factors in a host of data feeds including old and new Common Vulnerability and Exposure (CVE) bulletins.
Threat intelligence also includes specific analyst research developed over time. This data often includes insights from individual analysts who may spend years or even decades deeply embedded in criminal networks and Dark Web forums. Sometimes this deep data pool of threat intelligence is relevant to you, sometimes it’s not. Knowing the difference is key.
Needless to say, what researchers uncover is not always relevant to your specific organization. Even if a credible threat targeting a particular CVE were to be discovered, it’s only actionable if you know which of your assets have that vulnerability, whether or not it has been patched and where the vulnerable asset is located within your attack surface.
A detailed understanding of your attack surface is the prerequisite for applying threat intelligence.
Always Be Strategic, Tactical and Operational
If you want threat intelligence to be relevant and actionable, you need to ask the right questions. Those questions touch on how to use data in a strategic, tactical and operational way.
Here is a breakdown of the three core EASM threat intel subcategories governing the use of data:
- Strategic: data reveals broader attack trends in less-technical or non-technical terms, typically concerning threat actors or so-called Advanced Persistent Threats (APTs).
- Tactical: data outlines an attackers’ tactics, techniques and procedures (TTP) for a more technical audience - typically including specific Indicators of Compromise (IOCs).
- Operational: data details specific attack sequences and real-world campaigns, typically providing a combination of strategic and tactical threat intelligence delivered as actionable guidance.
Sipping from the Firehose
To properly leverage threat intelligence first, you need an omniscient-like view of your assets and attack surface. Only then can you connect the dots between potential and real threats and highest risk assets that need immediate mitigation.
Without a 360-degree view of your attack surface, threat intelligence is rarely going to be specific enough to enable you to prioritize activities within your security program and tell you what vulnerabilities to patch first. As they say, adversaries need only one weak point to breach an organization, while you are accountable for every possible vulnerability across your entire external attack surface.
An EASM solution like the CyCognito platform enables you to see your environment exactly as attackers do. Like the tools that attackers use, CyCognito performs comprehensive and ongoing reconnaissance across the entire attack surface to find the path of least resistance into your environment. This lets you see which vulnerabilities are present and, and thus, understand which indicators of compromise (IOCs) in threat intelligence are relevant.
EASM IQ Boost: Introducing Exploit Intelligence
By parsing threat intelligence, vulnerability management data and having a complete map of an organization’s unique external attack surface gives you Exploit Intelligence.
This is a new technology category that layers the understanding of how vulnerabilities are currently being exploited in the wild with a map of vulnerabilities in your attack surface. It’s a step toward empowering security teams with knowledge and not just reams of CVE and threat intel data.
With Exploit Intelligence security teams reduce Mean Time to Remediation of vulnerable assets from weeks to days. CyCognito’s Exploit Intelligence shows you which assets are most impacted by current threats, as well as instructions on how to validate the finding (and advice on whether it’s safe to do so). These are insights you can act upon.
With Exploit Intelligence you get relevant information that’s tailored to your environment and designed to expedite remediation of the most critical vulnerabilities in your attack surface.
Want to learn more about how EASM and threat intelligence work together? Download our new comparison brief to see how Exploit Intelligence serves as a force multiplier.