The dark web has long provided a safe haven for cybercriminals to plot illicit activities, often with huge implications for the government. To stay ahead of cybercriminals, Federal agencies have to investigate threats and emerging adversaries on their networks – but that is easier said than done.
During a recent MeriTalk webinar, sponsored by Recorded Future, two cybersecurity experts discussed how agencies can develop a smarter way of working to disrupt the threat landscape.
Julie Starnes, Director of Federal at Recorded Future, shared how information on the Internet goes from raw data to actual, useable threat intelligence.
“When I think about threat intelligence, I think about the need for it to empower their most important functions,” she explained. “From a Recorded Future aspect, we are bringing in information from all these disparate sources, the different parts of the internet [open web, deep web, and the dark web]. We’re taking in all this content and disparate data pieces and then we are running it through a refinement process, and that is when that data becomes intelligence.”
Jay Ribeiro, CISO for the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATFE), said that threat intelligence is essential for ATFE to meet its mission of protecting communities from violent criminals, the illegal use and trafficking of firearms, the illegal use and storage of explosives, acts of arson and bombings, and acts of terrorism.
Ribeiro touched on the role threat intelligence information plays in his agency. “From a cybersecurity strategic perspective, I think threat intelligence can provide the executive leadership a picture of the threat landscape … to help them make risk-based decisions regarding tactical operations,” he said. “It will help decision-makers make wise investments to mitigate risks. From the perspective of the tactical benefits on the ground, it can definitely help organizations be more proactive instead of being reactive. We get to study our enemies, their [tactics, techniques, and procedures] to understand the threat and how bad guys make decisions.”
Once they have that threat intelligence, ATFE can then “increase the speed of how we respond to cybersecurity incidents, especially if it is paired with automation.” Ribeiro also shared that threat intelligence can provide significant value in vulnerability identification and management.
“A comprehensive cybersecurity strategy should really involve a risk-based approach to vulnerability management,” he explained. “The number of vulnerabilities being discovered on a daily basis … is massive, so it is impossible for us to keep up with patching and ensure our systems are up to date … So it is critical that organizations apply threat intelligence and assess vulnerabilities, and then prioritize them based on the risk posed by the actual threats.”
Starnes stressed that agencies and organizations too frequently believe they can rely on vulnerability scanners or databases.
“We’ve seen in the last couple of years that the time to exploitation has decreased significantly,” she said. “If we see a vulnerability, it’s now less than 15 days to it being exploited. You don’t really have the luxury of just relying on a vulnerability scanner or the national database.”
In terms of how agencies and organizations should respond to threat intelligence info, Starnes said that IT leaders need to prioritize vulnerabilities that are specific to their agency or organization. Vulnerability info from scanners or the national database can be overwhelming, so agencies need to have a way to “sift through that data and get to what’s necessary and relevant to your organization.”
Ribeiro then touched on how agencies can go above and beyond for their threat intelligence plan. To go above and beyond, Ribeiro explained that agencies must first define the fundamentals. Meaning, an agency must know its threat intelligence program goals and its customers, as well as place a premium on partnerships and trust. On top of that, Ribeiro said it is “vital” for agencies to cultivate a feedback loop, saying that threat intelligence stakeholders generally do not provide feedback.
To learn more, view the full webinar.