In order to gain intelligence about the threats that may be directed to our organizations we need to tune into what is happening on the Internet. By reading the latest annual security reports we can learn from what others have experienced and broaden our perspective on the current threat landscape. Security practitioners should be sharing information about threats and attacks just as readily as the attackers share information, exfiltrated data and access to botnets. We can learn from recent security reports and anticipate what we can expect to occur in 2015 and try to adapt our defensive strategies to protect our enterprises.
Parallels can be drawn between IT security and using dental floss. We know that using dental floss can add years to your life expectancy but it requires discipline and a small time commitment every day. Similarly, IT security requires a relatively small capital investment and a relatively small investment in time to configure granular policies and be vigilant. Good security is a result of taking time to configure prudent security and then spending the time to establish situational awareness of the environment. The papers are full of news about companies that have not invested enough time into their security programs.
Sharing Security Experiences
We can be sure that the attackers are sharing information between themselves about what attack types are more successful than others. They are sharing information about targets, trading information about application vulnerabilities, trading access to botnets, and coordinating with organized crime organizations as part of their business ecosystem.
Few IT staff members actually share the valuable tidbits of knowledge that they have accumulated with the rest of the industry. Think about the powerful amplification affect an individual can have on the industry if they shared what they knew with others. Defenders should be sharing information about what attack types they are observing and what defensive capabilities are most effective. However, companies are often unwilling to share information for fear of embarrassment, a lack of security knowledge and experience, or a lack of time to communicate it. Many IT security organizations run so lean they don't have the time required to keep up on security topics, time to keep tabs on security events, or time to share intelligence information with other organizations.
Annual Security Reports
One way an organization can gain information about what types of attacks are taking place "in the wild" is to read annual security reports that are published. Many different companies write periodic security reports about current security trends, current attack types, and best current defensive practices. These reports are written by security equipment and software manufacturers, security service companies, Internet service providers, and other security associations.