By Brendon Roddas
Threat intelligence feeds have been used for many years by security operations center (SOC) teams and security analysts as a means to stay ahead of trending cyberattacks. In theory, the concept of threat intelligence feeds is sound.
After all, it is logical to believe that obtaining a constant stream of attack intelligence can help an organization reduce risk; enabling security teams to proactively warn employees and optimize security tools to identify and intercept threats before damage can occur.
(TOP: The meaningful photo of chess king staying before the set of another colour pieces).
To gather threat intelligence, organizations have two primary options: they can either purchase near real-time feeds from a vendor or they can join an intelligence-sharing group. Some organizations choose to do both. But while threat intelligence feeds might have been highly regarded as beneficial in the earlier days of cybersecurity, the sophistication and frequency of which today’s attacks are executed has severely limited the actionability that security pros can implement. This is especially true for email phishing threat intelligence.
Modern phishing threat landscape hinders threat feed RoI
According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”
While such a definition sounds compelling, the complexities of email threats in particular hinder threat intelligence feeds from providing the type of action-oriented advice that Gartner describes to phishing mitigation initiatives.
Today, 90% of all cyberattacks continue to proliferate via email while the majority of email phishing campaigns also contain at least one permutation and account for 42% of all attacks, according to our recent research. This means that attackers now regularly implement slight but significant and often random changes to an emails’ artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed. At the same time, attackers are also diversifying their techniques (spear-phishing, business email compromises, etc.), making it much more difficult than ever for humans and technology to identify phishing attacks.
Collectively, such attack frequency, variation and diversity has given rise to an extremely complex email threat landscape, one that is not conducive to benefiting much from email threat intelligence feeds.
Threat feeds falter in today’s email threat landscape
For email phishing in particular, threat feeds can lack important context, often contain too many false positives and require human analysts to vet alerts and feeds, which is often a time-consuming and ineffective process. Time constraints are especially problematic when considering it takes 82 seconds or less for someone to engage with a phishing email, according to Aberdeen Research.
On top of that, threats now evolve so rapidly that last weeks or even yesterday’s threats are potentially no longer relevant today. And thanks to the ease at which permutations can be implemented and the mass-market availability of phishing-as-a-service kits, attackers can create new versions of the same attack before a threat feed can even be updated with the original attack signature.
In addition, for threat intelligence to be actionable today, it should tell a story from a strategic, operational and tactical standpoint. But instead of this approach, threat reports remain focused on reactionary, and not proactive tactics. According to Eric Murphy, VP of Security Research at SpyCloud, threat intelligence becomes stale when an organization is reactionary, and “it fails when you don’t mix multiple intelligence points to form a more complete story of your adversaries.”
So then, if SOC and security teams are unable to ingest and incorporate multiple intelligence points from threat intelligence feeds into their security platforms in real-time, then there is limited purpose to having them in the first place.
Why Threat Intelligence must be Real-Time De-centralized and Distributed
Instead of relying on antiquated, reactionary threat feeds or vendor SLA’s, organizations should look to decentralized phishing campaign detection technology that puts control back in the customers hands by leveraging a vast virtual analyst community to automatically provide advanced detection and notice of trending email phishing attacks in real-time.
IRONSCALES automatically delivers real-time, human verified, actionable phishing campaign intelligence collaborated on by top security experts within the IRONSCALES community. This is more effective than threat feeds because it:
- Provides high quality; real-time human verified phishing detection and threat intelligence, reducing security teams’ resource strains by leveraging a threat intelligence community that scales as more companies join.
- Helps mitigate the risk of attacks, similar attacks and repeat attacks from spreading to additional mailboxes in real-time, limiting the chance of a lockout of systems via ransomware and malware.
- Decentralizes and distributes intelligence globally by leveraging a community of peers and security analysts, allowing for higher quality threat intelligence with fewer false positives, expediting incident response.
- Immediately notifies the SOC/security teams of verified attacks, or depending on policy settings, remediates the phishing attack from all inboxes across the organization, eliminating the threat completely across all endpoints.
While threat intelligence feeds historically provided attack details of value to SOC and security teams, the dynamic nature of today’s email threat landscape makes them unproductive and time consuming to become relevant and actionable in phishing mitigation. Instead, security teams can benefit more from a user-led approach that is uniquely built to integrate and orchestrate phishing attack information into a company’s email security incident response infrastructure. If you can’t act on it in an automated and timely manner, it’s probably not worth consuming that data.
(From IRONSCALES blog).