What does a threat intelligence team do?
As new cyber threats continue to emerge at a rapid pace, companies today simply cannot afford to rest on their laurels. Just because an organization hasn’t fallen victim to a serious cyber incident doesn’t mean the cybersecurity measures and processes they have in place are flawless or will be as effective in the future.
According to The State of SMB Cybersecurity in 2021 survey conducted by Vanson Bourne and commissioned by ConnectWise, 79% of decision makers are concerned their organization will be the target of a cyber attack in the next 6 months. How can businesses become more proactive about cybersecurity and assuage their own fears about the potential damage of an attack?
Enter: the cyber threat intelligence team (also known as a cybersecurity research team). Threat intelligence teams are vigilant in gathering information about emerging threats, analyzing malware data, collaborating with industry peers, and sharing their findings. This is all done in the name of helping organizations gain more insight into the current threat landscape so they can identify areas for improvement within their cybersecurity posture.
Who is on a threat intelligence team?
These teams are often made up of cybersecurity leaders, threat intelligence analysts, security operations center (SOC) veterans, reverse engineers, vulnerability researchers, network security experts, and more. The ConnectWise Cybersecurity Research Unit (CRU) has nearly 70 years of combined experience across these disciplines.
Threat intelligence shouldn’t be a solo effort — it takes a team of dedicated, highly qualified cybersecurity professionals with specialized knowledge, training and skills to produce valuable, actionable insights. Team members may also possess special credentials that demonstrate their expertise, such as an Offensive Security Certified Professional (OSCP) or a GIAC Certified Intrusion Analyst (GCIA).
Cyber threat intelligence refers to data on emerging and established threat actors that has been collected, analyzed, and determined to be hazardous. This can include monitoring of ransom leak sites, malicious botnets, open-source intelligence resources, and more to uncover threats. To ensure that the members of a threat intelligence team are using their time and skills most efficiently, automating certain parts of the research process is crucial.
For example, the CRU has created automated tools capable of performing analysis on security incidents to help make quick decisions on escalation and remediation (aka notifying a human that an investigation is neededey need to investigate). Assisted by automation, the CRU team downloads hundreds of malware samples every day that are analyzed and the results go into our free threat feed. Updated daily, the CRU threat feed contains data that has been collected for years and is used to help find threat indicators in customers’ networks while filtering out false positives.
Threat intelligence teams understand the importance of using contextual information, including technical, behavioral, and situational factors, to help determine the who, what, why, and how behind a given threat. This contextual information in our feed is then turned into packet captures (PCAPs) which are shared with the industry, answering questions that analysts and fellow researchers otherwise wouldn’t be able to address.
Threat hunting is the process of actively seeking out and investigating threats to identify them as soon as possible. Threat hunters leverage threat intelligence, threat detection tools, environmental knowledge, their career experience, and more to “hunt” for specific types of activity.
Threat hunting involves analysis of data in order to pick out indicators of compromise (IoCs) so the team can develop hypotheses about emerging or “unknown” threats that have occurred in a given environment. The ConnectWise CRU takes a unique approach to threat hunting, leveraging the information gathered in this phase to provide threat intelligence as well.
Our team of cyber threat hunters build data visualizations to highlight abnormal activity. We test Kibana queries within the Perch platform, and share elastic queries that can also be modified or use in your own SIEM solutions, to reveal characteristics related to cyberattacks.
Effective threat hunting requires timely, high-quality threat intelligence; oftentimes cybersecurity professionals are part of special communities in which they share information about “breaking news” and the latest tactics and strategies used by cyber criminals. The CRU is active in private research groups made up of security researchers across the industry, giving us fast access to intelligence around new vulnerabilities and threats — in some cases, even before they are made public.
Our CRU team also participates in MITRE’s ATT&CK Sightings ecosystem, a knowledge base that helps threat intelligence analysts and other cybersecurity professionals achieve greater visibility into threat behaviors around the world. This involves tracking threat actor techniques to give threat researchers more granular data about the context surrounding cyber incidents.
Practice makes perfect
To turn threat research into something tangible and actionable, the best threat intelligence teams look for ways to simulate real-life security situations. This helps organizations strengthen up their defenses as well as determine how they would respond in the event of a breach. For example, the CRU uses our ConnectWise products when analyzing malware and testing new vulnerabilities so we can see exactly what a compromise would look like for one of our customers.
The CRU also hosts and participates in capture the flag (CTF) events. CTFs are cybersecurity competitions in which contestants compete with one another by solving infosec-related challenges to earn points. This is yet another way that professionals in the cybersecurity community help each other level up their skills and increase awareness about the latest techniques and strategies in the world of cyber crime.
Making the most of modern threat intelligence
There’s no doubt that threat intelligence and cybersecurity research teams are helping organizations stay more informed about the the increasingly advanced cyber threats found online today.
With fewer resources and smaller cybersecurity budgets than the enterprise, SMBs are particularly vulnerable: The State of SMB Cybersecurity in 2021 survey discovered that only 23% of decision makers felt confident that their organization and/or its IT partner would be able to defend their systems in the event of an attack.
The ConnectWise Cybersecurity Research Unit has a unique strength amongst research and threat intelligence teams in that they are plugged deep into the SMB ecosystem, allowing them to closely track the emerging threats that are most relevant to that group. Learn more about the CRU here.