Locating the needle in the cybersecurity haystack

Adrian M. Reodique

Vitaly Kamluk of Kaspersky Lab
Vitaly Kamluk, director of Kaspersky Lab's Global Research and Analysis Team in Asia Pacific. Photo by Adrian M. Reodique. 

Identifying vulnerable areas of the business can be akin to finding a needle in a haystack. Threat intelligence reports can thus serve as a guide for IT leaders to pinpoint the areas where stronger cybersecurity defences are needed.

Basically, threat intelligence reports are references that provide technical details and description about previous cyberattacks, said Vitaly Kamluk, director of Kaspersky Lab's Global Research and Analysis Team (GReAT) in Asia Pacific (APAC) in an interview with CIO Asia.

Threat intelligence reports can be derived from either threat information coming from within the organisation's network system or external threat intelligence feed from security vendors. It is based on pieces of evidence and analysis to ascertain how a malware was designed, its source, purpose, as well as its method of distribution and infection, added Kamluk.

Globally, the threat intelligence market is still in the nascent stage. PwC's 2017 Global State of Information Security Survey  found that only 48 percent of the 6,200 chief information officers (CIOs) and chief security officers (CSOs) who leveraged managed security services are specifically using threat intelligence services in their cybersecurity and privacy programmes.

Meanwhile, research firm MarketsandMarkets, projected that the global threat intelligence market will reach US$8.4 billion by 2022, with North America expected to contribute the biggest share and Asia Pacific to register the highest compound annual growth rate (CAGR) from 2017 to 2022.


Benefits of external threat intelligence reports

While internal threat intelligence reports can provide the most personalised threat information for organisations, external threat intelligence reports could also bring a slew of benefits to businesses that are able to effectively maximise its use.

"Threat intelligence reports help you to understand how [cybercriminals attack, in terms of] what tactics, techniques, and tools they used," noted Kamluk. "[These information] help businesses make proper and smart decisions if they happen to encounter those attackers in their networks."

Kamluk further said that a good threat intelligence report includes indicators of compromise, which is "a list of file names, file hashes, command control servers, addresses like IPs and domains, or something that can uniquely identify malware infection and can help [businesses] discover these attacks on their system."

Moreover, threat intelligence reports, especially those with data focused on specific industries, can help organisations stay cognizant of the latest cyberthreats that lurk around the sector. This facilitates the assessment of vulnerable areas of the business or endpoints that most likely be targeted by cybercriminals.

"Sometimes, it can be beneficial for you to understand who you are dealing with, depending on who is the target," said Kamluk. "You can draw your conclusion on who might be behind it and of course if the attackers left something behind like IP addresses, where it could come from, language things, and some artefacts like language code [or] language identifier in the malware. We try to focus on that and include that in the report so that they can give you [an idea of] who your adversary is or who came after your organisation."

1  2  Next Page