By Anthony Perridge, VP International at ThreatQuotient

Ransomware attacks are on the rise. VMware recently surveyed 3,542 CISOs across 14 countries for its recently published Global Security Insights report and found ransomware attacks were the dominant cause of breaches for organisations worldwide. To compound this fact it’s Threat Analysis Unit identified a 900% increase in Ransomware over the first half of 2020.

Despite this rise, many organisations have been left behind with their security operations, with 60% of organisations experiencing ransomware attacks in 2019 – of which 29% said attacks happened at lest once a week. In fact, according to Gartner 27% of malware incidents reported in 2020 can be lined to ransomware.

Ransomware has become a mainstream topic of concern, with high-profile attacks impacting fuel supplies on the East Coast of America and targeting transportation systems and financial service providers. Organisations are conscious about protecting themselves and their customers when attacks happen, and consumer confidence has been affected as a result of this. A better understanding of adversaries and their tactics, techniques and procedure (TTPs) is needed, so that you can understand how your organisation can mitigate any risks.

A cornerstone to any security operation is a threat intelligence program that provides better intelligence across the threat spectrum from known to unknown attacks, and the ability to leverage this intelligence for all the systems and analysts who need it. This intelligence must include internal data, events and telemetry, supplemented with external data from a diversity of sources including commercial vendors, open sources, ISACs, CERTs, government cyber organisations and other sharing communities.

Threat Intelligence Platforms (TIPs) have risen in popularity to deal with this complexity. The first function of a TIP is to store and manage threat information no matter where it comes from. The second function is to correlate and contextualise it by prioritising the small fraction of relevant information to turn it into useful intelligence. Third, the intelligence must be shared with downstream systems that use it for post-compromise detection, pre-emptive blocking, and patch prioritisation. Finally, TIPs may include analysis and visualisation tools that assist various user groups, including SOC analysts, incident responders and threat hunters, by making it easier to share intelligence and collaborate.

So how do you get started with a threat intelligence program?

Open data sources and tools such as MISP, TheHIVE and Cortex are some ways to get started with threat intelligence, building and testing the processes required and demonstrating what it can do for your organisation. However, it is worth noting the soft costs of coding and development time required with open source tools, and it can be likely that you will end up with a single person in the organisation developing the institutional knowledge and domain expertise. Should that person leave, costs and risks increase and the program will fail.

Whether you go through this stage or jump straight to evaluating commercial approaches, keep in mind that most threat intelligence programs will cost in the range of £360,000 – £1.4 million per year for an effective capability, including people and new systems, for example threat intel analysts, a TIP and intelligence sources. However, given reports of ransomware demands and if you consider a recent report that estimates the average cost of a data breach at £2.8 million with mega breaches (50 million records or more stolen) reaching £284 million, a threat intelligence program that prevents even a single breach each year will pay for itself.

However, this can be difficult to show when making the case for a budget. Unless your organisation is suffering data breaches constantly, you are unlikely to have any hard data to calculate an ROI. Instead, one approach is to track your organisation’s ability to detect compromises and determine which of those were exclusively detected with intelligence from the threat intelligence program. One large global technology company was able to attribute over 1,500 compromises per annum to their intel program using this method. In the context of their overall compromise detection costs from security tools, incident response, threat hunting and alert triage, they could show a strong ROI for their threat intelligence program.

Each of these use cases, as well as others including threat intelligence management, vulnerability management and accelerated prevention and detection, present their own ROI areas. These include increased staff efficiency, improved collaboration, faster patching of prioritised vulnerabilities, reduced attacker dwell time and faster time to respond.

As threats evolve and emerge, a threat intelligence program is integral for an organisation’s survival. Now is the time to implement a threat intelligence strategy and even if you already have a program in place, there is always rooms for improvement and optimisation for your top use cases.