Oct 02 2014

Using Threat Intelligence to Protect the Network

To fight back against hackers, organizations must leverage data before, during and after an attack to maintain data security.

Distributed denial-of-service (DDoS) attacks have fast become a favorite method of modern hackers. These attacks, which overwhelm networks by flooding them with traffic from bots and other sources, have grown in number and severity in recent years. A study by the Ponemon Institute revealed that DDoS attacks are responsible for 18 percent of outages at data centers based in the U.S., up from 2 percent in 2010, and that these attacks are the third leading cause of outages. Each outage costs $630,000, on average.

Hackers have ready access to the inexpensive equipment required to set up and carry out DDoS attacks, and targets range from foreign governments and corporations to universities and online businesses. Even if no data is actually breached, such attacks slow the network and place an increasing financial burden on organizations trying to mitigate their effects. Network security professionals must remain vigilant and adapt their methods as needed against this relentless onslaught.

The Stages of an IT Attack

The best way to shut down attacks and defend critical resources is to adopt a security approach that is more sophisticated than the attackers’ abilities. To do so, security professionals should break attacks down into stages and respond to the attacks in stages, as well. Security experts will recognize the cyclical nature of this strategy.

Let’s examine each of these stages:

Before an Attack

Cyber defenders must vigilantly monitor network activity so they can spot areas where they may be vulnerable. Historically, security has been all about defense. Today, teams are setting up ways to more intelligently halt intruders by giving organizations total visibility into their environments, including physical and virtual hosts, operating systems, applications, services, protocols, users, content and network behavior. This knowledge enables defenders to take action before an attack has even begun.

During an Attack

Security teams must comprehend what is happening and take steps to end the attack as quickly as possible, to minimize its impact. They should be addressing threats continuously, not just at a particular time. Tools—including content inspection, behavior anomaly detection, context awareness of users, devices, location information and applications—are critical to understanding an attack as it is occurring. Security teams have to discover what users are involved as well as where and how they are connected to applications and resources.

After an Attack

Teams need to gain clarity about the attack and understand how to diminish its effects. Advanced forensics and assessment tools help security teams answer questions that arise from the incident. Where did the attackers come from? How did they find a hole in the network? Could anything have been done to prevent the breach? More important, retrospective security allows for an infrastructure that can continuously gather and analyze data to create security intelligence. Breaches that would have gone undetected for weeks or months can be identified, scoped, contained and corrected much more quickly.

The Value of the Extended Network

The linchpins of any defensive strategy are intelligence and understanding. Security teams are constantly trying to learn more about who their enemies are, why they are attacking and how. This is where the extended network — including the web, connected devices and intelligence from external organizations — can provide significant value, delivering a depth of intelligence that cannot be attained anywhere else in the computing environment.

Much like other areas of modern warfare, security in cyberspace is often a pitched battle — and not in the defenders’ favor. Relatively small adversaries with limited means can inflict disproportionate damage on larger adversaries. In these asymmetric environments, intelligence is one of the most important assets for addressing threats. However, intelligence is not a stand-alone weapon; it requires an approach that optimizes its organizational and operational use.

For instance, cybersecurity teams can correlate identity and context and then add threat intelligence and analytics capabilities using network analysis techniques that enable the collection of IP network traffic as it enters or exits an interface. This allows security teams to combine what they learn from multiple sources of information — including what they know that’s happening in the network, what they know from a growing amount of collaborative intelligence, gleaned from exchange with public and private entities — to help identify and stop threats.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT