What is Proactive Threat Intelligence and Why Should I Care?
Posted by David Ratner | February 14 2024
Lots of people talk about the value of threat intelligence for an organization trying to defend itself from the near-constant onslaught of attacks, and the various different ways to obtain good and valuable intel. They are not wrong. Threat intelligence should be part of everyone’s cyber protection and resiliency strategy to combat all forms of digital risk.
However, if your threat intelligence doesn’t enable you to get proactive against future attacks and risks, then it’s of limited value. You will always be behind the curve. And that’s not where you want to be, especially in 2024. All the statistics say that attacks are increasing, and everyone will unfortunately be breached at some point. So ask yourself – how much are your threat intelligence programs and tools helping prepare you?
Answering the Question “How Did This Happen?” Is Important … But Not Enough
Obviously with every attack it's important to understand what damage was done and what data may have been stolen. That is basic incident response 101, and usually the first question that all the stakeholders will ask. There are a variety of different threat intelligence approaches, tools, and data sources to help you answer the question of “how did this happen?” How did the bad actor break-in and inflict damage? The focus here is valid, warranted, and needed – there are many reasons why understanding “how did this happen” is important, such as:
1. Explaining what happened to your boss, Board of Directors, and other stakeholders.
2. Implementing a new policy or procedure to block a specific gap in your cyber security posture
3. Documenting and sharing intelligence about the latest techniques and tactics
4. Or even just pure intellectual curiosity.
This fundamental understanding is important and necessary and, as mentioned, generally the first question that gets asked. But in today’s world, you unfortunately can’t stop there. It’s necessary, but not sufficient, if you really want to protect yourself and your organization.
You Need to Be Able to Answer the Next Question
As Bill Joy once said, "You can drive a car by looking in the rear view mirror as long as nothing is ahead of you.” Always looking backwards and having the perfect clarity of “what happened” may lead to a false sense of confidence — just because you have addressed everything that has happened does not mean you are protected from what will happen. The reality is that new attacks are coming, the techniques are changing, and the tactics are adapting.
Good threat intelligence therefore needs to help you understand not just “how and what happened” but help you answer the next question – “what’s going to happen next?”
Proactive Threat Intelligence Maps What Has Happened to What Will Happen
The bad actor or group that attacked you in the past is going to try again in the future, which is exactly why you shouldn’t need new tools to obtain a forward-looking view. The criminals may adapt and change some of their tradecraft but fundamentally they are still the same bad actor(s), and except for the most skilled and best well-funded nation state adversaries, it’s actually difficult and time-consuming to change absolutely everything about one’s tradecraft.
A bad actor may be near-perfect in their tradecraft today, but perhaps made a mistake when they were first getting started, which allows you to gain a foothold into mapping their actions even today. Or maybe there is one part of their overall tradecraft that doesn’t change from attack to attack. Whatever the linkage, whatever the connection, if you can find it then you can follow the breadcrumb trail and see into the future. You can watch the bad actors as closely as they watch you.
Enter HYAS Insight – With the Power to Get Proactive
And that’s where HYAS steps in. HYAS collects authoritative data from a variety of sources to ensure that it can map what has happened to what is happening and what will happen. The underlying Adversary Infrastructure Platform is unparalleled in terms of not just the raw data but the underlying intelligence that it can provide across “VRA” or Verdicts, Related Infrastructure, and Attribution.
In other words, not only can the HYAS Insight threat intelligence and investigation platform help answer the question of “how did this happen?” but it also directly provides the insights and intelligence to point of “what is going to happen.” It is a one-stop shop for all the infrastructure and attribution intelligence that is needed today.
For example - consider DGA malware. Given how quickly and seamlessly this family of malware changes its command-and-control (C2) infrastructure, it can often be quite difficult to fully understand and stop. However, the next domain to be used as C2 was (or will be) created by the same bad actors who created the current one.
There will be a way to identify a connection between the two, and most importantly, that connection can be identified when the new domain is created and becomes DNS-routable on the Internet – before the malware changes its C2 to point to it. By seeing the new domains get created, and knowing whether or not they will be used for nefarious purposes before they actually are weaponized, provides a unique ability to counteract DGA malware and stop the endless cycle of chasing one’s tail. This is the power of understanding Related Infrastructure, and just one example of what can happen when you get proactive.
In other cases, perhaps the Related Infrastructure identifies what is going to be used in the next phishing attack. Or maybe the Attribution data identifies that the threats and attacks are coming from a different geographic location than they were last year, driving an update and shift in understanding the overall organizational and digital risk as well as specific changes to the cyber program.
In all cases, it’s the ability to take today’s threats and map them to tomorrow’s threats, risks, and attacks that allows the threat intelligence solution to be truly proactive. And in today’s fast moving world, where new attacks pop up almost constantly, this level of proactiveness is not just important but critical to leveling the playing field, enabling cyber resiliency, and protecting all aspects of digital risk across the entire organization.
Rethink cybersecurity. Understand adversary infrastructure and counter DNS as a tried-and-true attack vector for threat actors. Contact us today to learn how HYAS can help your organization transition from reactive and defensive to proactive and offensive.
