Gathering and using threat intelligence

In this interview, Tomer Teller, Security Innovation Manager at Check Point, talks about the role of threat intelligence in the modern security architecture, discusses how it can help identify sophisticated malware attacks, and illustrates the essential building blocks of a robust threat intelligence solution.

What’s the role of threat intelligence in the modern security architecture?
Gathering and using threat intelligence is critical in any modern security architecture as without it, it is impossible to keep pace with new, emerging malware and threats. For example, our 2014 Security Report found that on average, a new, unknown malware variant is being downloaded to company networks every 27 minutes, while a new bot infects a network every 24 hours. These new variants are able to bypass detection by conventional anti-malware defenses, so it’s critical that an organization has access to intelligence on new, emerging malware if it is to defend itself. The faster information can be gathered on the methods cyber-criminals are using, the quicker an organization can be prepared to counter the threat and the more robust the protection will be.

The challenge that the internet security industry faces is ensuring threat intelligence is not only gathered but also shared in real-time. Many third-party security firms have excellent intelligence on new attacks vectors and malware variants. However availability of this intelligence is often fragmented.

Any delay in collating and sharing information makes acquiring broad intelligence on cyber attacks, especially targeted campaigns, almost impossible for even the largest players in the security industry presenting an opportunity for cyber-criminals which really should not exist.

The role of threat intelligence in security is clearly important and is something that the industry as a whole has successfully deployed for some time. However that intelligence is far more useful in improving security when it is shared and security vendors can develop solutions that address the whole problem – not just part of it.

In answer to your question then threat intelligence is key in modern security architecture – in terms of identifying the problem, sharing that intelligence is critical in addressing it.

How can threat intelligence help identify sophisticated malware attacks?
The key role it plays is in helping organizations to identify new malware much faster than is possible with conventional anti-malware techniques, to prevent it spreading and mitigate damage.

For example, many organizations are using sandboxing or threat emulation techniques to identify new, unknown malware variants and stop them either in the cloud, or on a gateway. Once this new malware threat has been quarantined and “fingerprinted’ by the sandboxing process, this data can be shared to help prevent wider infections.

This collaborative approach closes the time window between the discovery of a new attack and the ability to defend against it. Details of the threat (including key descriptors such as the IP address, URL or DNS) can be uploaded to the cloud and automatically shared with other organizations worldwide. So if a company in Hong Kong is being targeted by a new malware variant that is identified by threat emulation, the new threat’s signature can be added to a real-time intelligence stream and distributed to other organizations globally in minutes. By vaccinating organizations against the attack before the infection can spread, this reduces the chances of an outbreak becoming an epidemic.

Threat Intelligence is also more sophisticated and efficient in providing real-time updates to IT systems than traditional anti-virus software. Whereas an update to anti-virus software on a new malware variant might take hours or days to push out, threat intelligence provides a much quicker feed of information to mitigate the risk posed by the malware. This is why it is critical that businesses adopt a multi-layered approach to security to ensure that they minimize the risk of attack. Relying on any one method of defense only serves to offer cyber-criminals opportunities that could otherwise be averted.

What are the essential building blocks of a robust threat intelligence solution?
A robust threat intelligence solution is really dependent upon the volume of information it is fed. The more information made available to it and the more sources it comes from the more robust it will be.

As a result, one of the key developments in threat intelligence has been the introduction of threat intelligence marketplaces that encourage vendors to collaborate, share and exchange information in real-time. Technology such as this enables a more detailed picture to be produced much faster providing greater insight and better information for organizations to work with.

But intelligence is only truly effective if it can be translated into effective action against new threats. So in addition to intelligence feeds, organizations need solutions that can interpret those feeds, and automatically apply updates and blocking actions against the identified threats. But the benefits are clear – a more responsive security architecture that can either stop potential threats before they infect the network, or trap the threat quickly even if it manages to penetrate defenses.