Developing proactive cyberthreat intelligence

There’s no shortage of generic warnings when it comes to new cyberthreats and the havoc they’ll wreak on vulnerable systems. However, unless companies have context — details of how a threat will affect their organization — it’s difficult to prioritize which warnings to respond to and what security measures to implement.

So, how do organizations filter out all the noise around cyber security and focus on the information that relates to their own systems? How do they stop these generic warnings from creating fear, uncertainty and doubt, and making it more difficult to focus on issues that relate specifically to their own IT estate?

In short, the answer is to find a partner that supplies targeted, cyberthreat intelligence and provides guidance on the steps needed to prevent imminent losses.

Evolving insurer approach to cyber security

Every insurer, no matter what line of business they underwrite, promotes sound risk management. They want policyholders to enact good practices, operate to recognized standards and implement robust risk mitigation and crisis management strategies.

In cyber insurance, this has previously taken the form of providing insureds with desktop tools and access to scanning software in a bid to offer best practice advice, highlight vulnerabilities and give guidance on how to respond to attacks.

In reality, this promotes good housekeeping but doesn’t provide in-depth information on vulnerabilities or details on what sort of loss companies are likely to suffer if they don’t take action. It’s a bit like telling someone that having an umbrella will be useful if it rains, without giving them a weather forecast for their particular location.

As the cyber insurance market has become more sophisticated, carriers can now match specific vulnerabilities to claims. They have a much more detailed understanding of how threat actors leverage vulnerabilities and the resulting losses their actions generate.

The most advanced cyber insurers can identify vulnerabilities within a client’s IT estate, attach them to a specific web domain or IP address, and predict what loss is likely to stem from the weak point. They can also advise if the vulnerability is on a threat actor’s target list and whether an attack is underway.

This targeted threat intelligence enables insureds to take preventative action and secure their system before the threat materializes into a loss. This level of intelligence goes beyond standard risk management and is more than good housekeeping. It’s a real-time, proactive intervention that empowers organizations to avoid losses from imminent attacks.

To advance the umbrella analogy, it’s like telling someone to open their umbrella now, because it’s about to start raining in their exact location and being able to tell them how severe the storm will be.

Three pillars of threat intelligence

It’s not easy to gather, analyze and deliver threat intelligence in a way that allows insurers to pre-empt attacks and empower clients to avoid losses. In broad terms, robust threat intelligence rests on three pillars and each plays a vital part in its overall effectiveness.

First, robust threat intelligence relies on the ability to accurately outline a client’s internet-facing footprint. This means creating a log of each and every asset and enumerating every internet touch point. This is a complex task and must cover an organization’s entire suite of hardware, software, devices and databases.

In effect, the register represents the possible surface map of an attack. If it’s not complete, possible entry points will sit in blind spots and remain unmonitored.

Second, powerful threat intelligence needs to come from a wide variety of high-quality sources to ensure the data gathered is accurate, up-to-date and reliable. This means developing a strong network of partnerships with private and public sector organizations. It means having a mix of human and signal intelligence.

Human intelligence comes from having access to platforms and sites such as Exploit, XSS and RAMP, where fraudsters exchange information and trade stolen data. Entry to these sites comes from online identities, painstakingly developed over many years and through well-nurtured third-party relationships.

Signal intelligence comes from monitoring the communication traffic running through a client’s networks and being able to identify any anomalies and how they might relate to a potential attack.

Gathering and analyzing data from these multiple sources is a highly technical activity requiring significant investment in specialist software and staff. Insurers also need to be able to scan their clients’ IT assets continually to pinpoint any new vulnerabilities.

The third pillar of excellent threat intelligence is the ability to disseminate information effectively. In short, this means telling organizations exactly where they have a vulnerability, how a threat actor is likely to leverage that weakness against them, and giving them the support and guidance to secure their systems. Once discovered, threat actors can weaponize a vulnerability very quickly and so it is a race against time to get things in order.

It’s costly to run a team of specialists who can deliver on all three pillars and manage and pay for the third-party partnerships and feeds required to create robust threat intelligence. Some of the world’s largest corporations have in-house teams engaged in this activity, but for the vast majority of organizations, it’s simply beyond their means.

SMEs can get access to this sort of threat intelligence by working with an insurer that provides it as part of their offering. Increasingly, insurers are seeking to differentiate themselves on the strength of their threat intelligence. Not only does it reduce the number of losses suffered by clients, but it also improves insurers’ results, so it’s a positive for both parties.

Certainly, potential clients should appraise the strength of a carrier’s threat intelligence offering while completing their due diligence on its financial strength and the breadth of cover offered by its policy.

Threat intelligence in action

The best threat intelligence lets organizations improve their risk profile, thwart cyberattacks and avoid losses. It provides timely information on threats that relate to a specific business as well as warnings on attacks that are imminent or in their early stages.

By way of example, many organizations found themselves facing the threat of a loss as a result of the ProxyShell vulnerabilities on Microsoft Exchange servers. The problem became widely publicized about two years ago and unpatched servers made it possible for hackers to bypass authentication protocols and execute code as a privileged user. This posed a major threat and required immediate remedial action.

In response, CFC’s Cyber Threat Analysis (CTA) team created a non-intrusive scanner within 24 hours and ran it against the entire portfolio of clients.

The team identified around 450 clients that were vulnerable and contacted them at once. They then got to work on advising these clients about the problem and guiding them through the mitigation process to ensure they were no longer exposed.

Putting things right was a two-stage process. First, clients had to patch the vulnerability. Second, they had to ensure that no web shells had been placed on the server while it had been vulnerable.

The CTA team found web shells on a number of clients’ servers and removed them before they could be used to mount an attack. Without the team’s intervention, these clients would have suffered a loss.

It was only by getting detailed threat intelligence that their systems were vulnerable and had actually been compromised that these organizations were able to work through the remedial steps provided and secure their systems.

It’s this detailed, specific and proactive type of intervention that characterizes good threat intelligence and highlights the value it offers to all concerned.

The balance of risk and reward remains stacked in the favor of threat actors, underpinning the huge and increasing number of attacks faced by organizations in all sectors.

The best threat intelligence is now enabling businesses to seize the initiative and prevent losses from happening. It’s allowing them to be proactive rather than reactive in the fight against fraudsters and helping them to maintain ongoing operations and stop cyberattacks in their tracks.

Roger Francis (rfrancis@cfcunderwriting.com) leads CFC’s cyber security and incident response organization, and oversees CFC’s cyber risk management services. He has over 17 years of experience in information security, helping businesses protect their organizational assets from cyberthreats, developing global security governance programs and responding to headline cyber breaches.

Related:

Cybersecurity audits and 5 common mistakes to avoid

Preventing social engineering fraud

Cyberattacks are accelerating with AI’s help