What is cyberthreat intelligence?
Cyberthreat intelligence (CTI) provides businesses a deeper understanding of potential threats. Whether it is knowing your enemy or learning about the latest malware, CTI seeks to provide information that can help an executive make prudent, risk-based decisions. This information, analyzed to produce insights, comes from the open internet as well as closed sources, including the dark web. This information can help identify signs of a potential breach, leaked data or pending attacks.
The dark web is the part of the internet that are not accessible through conventional browsers. The deep web is the part of the internet that is not accessible through search engines. Nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity including the sale of personal information, financial goods and illicit services. In terms of CTI, the deep web and dark are a treasure trove of breached information and threat indicators for an organization.
A vast majority of these sources contain goods and sensitive data stolen from the financial services industry. Driven by financial gain, bad actors maintain a thriving marketplace built on illicit items, including debit/credit card sales, identity theft services and specific banking malware.
How can financial institutions use CTI to their advantage?
While no tool or service can completely eliminate data breach risk, integrating CTI into the organization’s cybersecurity program can make the institution a more difficult target with a lower likelihood of being breached. To get value from CTI, the financial sector can:
- Understand which threat actors are leveraging potential vulnerabilities in systems used by the financial sector
- Understand whether a particular organization is being targeted directly
- Detect active malware campaigns that are targeting the financial sector
- Learn where customer and employee information may exist
- Find breached credit or debit cards on deep web or dark web marketplaces
- Understand emerging trends regarding data theft
How can financial institutions leverage CTI?
There are a variety of methods that financial institutions can leverage, and directly benefit from CTI. Examples include:
- Incorporating technical indicators of compromise (IOCs) into the company’s security information and event management (SIEM) system
- Briefing high-level executives on industry trends and providing intelligence on potential future attacks
- Providing intelligence briefings to security operation centers (SOCs) to deliver situational awareness of technical campaigns and malignant actors
- Using the information gathered to develop incident response (IR) tabletop scenarios
- Achieving timely integration with fraud teams to deactivate any stolen credit or debit cards
- Working with law enforcement to remove stolen credit card, debit card or other financial information from the deep web or dark web.
- Segregating and limiting internal access to systems if credentials are exposed
- Communicating with social media and marketing teams to improve exposed data on the open web
- Implementing patches for any known vulnerabilities discovered on external-facing systems and applications
What does a successful CTI program look like at a financial institution?
Due to the limited resources of security teams within small- to medium-sized financial institutions, deep analytical CTI is usually not possible using internal resources and is often outsourced to a vendor or third party. When outsourced, third parties can provide the following value-added actions:
- Identify breached credit and debit cards and other financial information
- Monitor chatter about C-suite executives
- Help prevent fraud through credential theft
- Thwart attacks planned by adversaries using new financial theft malware, ransomware or Trojans
- Examine reputational damage or brand-related chatter for an organization
- Identify large credential data dumps and/or breaches
- Identify or ascertain stolen or fraudulent goods (blueprints, skimmers, physical devices, etc.) and sensitive data (tax forms, personally identifiable information, protected health information, etc.)
In conclusion, CTI will provide a variety of actionable information for companies to utilize to make informed cybersecurity decisions and better assess their risk appetite. This information can be used to prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. With a deeper understanding of the threats they are facing, companies will have a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.