Fighting cybercrime requires MSSPs and MSPs to maintain a comprehensive tool set to protect each client’s data and users. One of the most important components of that tool set is threat intelligence, which provides actionable information about threats, perpetrators, and sources, as well as risk factors and common targets.
Research shows the need for threat intelligence still isn’t fully understood in some organizations. A Ponemon Institute study, The 2017 Cyberattack Storm Aftermath, commissioned by SolarWinds MSP, revealed that “senior-level staff do not utilize ‘free’ intelligence sources, such as US-CERT, that might be helpful in identifying cybersecurity threats before they hit the organization.”
US-CERT (US Computer Emergency Response Team) issues threat alerts that help prepare cybersecurity teams to defend against new threats. For instance, the agency sent out an alert in 2017 about the WannaCry ransomware variant, which unleashed a worldwide infection that hit an estimated 300,000 computers in more than 150 countries. The attack was successful because too many organizations did not apply a security patch that would have prevented the infection from spreading.
In other words, the infection was avoidable. MSSPs and MSPs that handle security for clients can help prevent attacks by making sure clients don’t ignore essential security practices, such as taking advantage of threat intelligence feeds.
Cybersecurity traditionally has been defensive in nature, but threat intelligence adds a forecasting dimension. Threat intelligence tools and researchers are out in the wild identifying attackers, where they hang out, and whom they are planning to target.
Threat intelligence is collected from end-point monitoring systems, malware-detection engines, and an array of sources that include internet chatter and social media posts. Data is fed to analytics and machine learning models to investigate IP addresses, URLs, domain names, email attachments and links, email senders, filenames, hashes, and registry keys. The goal is to spot code traits, patterns, behavior, and anomalies that indicate the presence of malicious code.
Relevant data is disseminated through threat-intelligence feeds that security vendors, security service providers, and in-house teams can use to update their cyberdefenses.
There are multiple sources of public and government-run threat intelligence besides US-CERT, including the FBI, Krebsonsecurity.com, ThreatBrief.com, and The Defense Cyber Crime Center. MSSPs and IT Service Providers should check these sources periodically and sign up for cyber- intelligence feeds.
Many security vendors also have their own intelligence feeds, some of which are a paid service while others are included in cybersecurity solutions. MSPs and their clients should have a handle on which of their vendors provide this service, how the information is delivered, and what it covers. It would be a shame to have access to the information and not use it, especially since it can stop an attack.
Security vendors typically update their solutions based on the threat intelligence they collect from the thousands of endpoints they manage, as well as from other sources, including government-run sources. In some cases, they are providing that intelligence as a service for an added fee. Whether you and your clients need the service is a judgment call based on the environment you manage and regulatory obligations. It’s important to keep in mind that different vendors’ feeds cover different areas—for instance, a feed may be specific to phishing—and that no single feed covers everything.
Keeping up with threat intelligence is no easy task because of the massive volume of information it involves. MSSPs and MSPs should consider assigning a team member to track intelligence feeds, organize the information, and share it with the rest of the team as necessary. Making someone responsible for this component of cybersecurity helps ensure it is handled properly. The individual assigned to the task doesn’t necessarily have to be internal to your organization. In fact, if you’re an MSP who is uncomfortable with any part of the security responsibility, consider partnering with an MSSP to get the job done. And to double down on your efforts, definitely turn to your vendors and suppliers, many of which include a level of threat intelligence in their products. It takes a comprehensive strategy to ensure threat intelligence, which is fundamental to a robust cybersecurity strategy, isn’t overlooked.