Skip to footer
Passcode
Modern field guide to security and privacy

Opinion: Threat intelligence is the judo move needed to take down hackers

Advanced techniques for quickly tracking and analyzing the behavior and tactics of criminal hackers gives companies the tools to defend against emerging cyberthreats.

|
Issei Kato/Reuters

When a prominent financial institution was hit in 2014 by hackers taking advantage of a previously unknown software flaw, it wasn't long before details about the vulnerability spread on social media, underground forums, and technical listservs.

Hackers mobilized to turn the software bug into an exploit kit – the Sweet Orange kit – so others could use it to carry out attacks by deploying it against new targets. The kit was advertised on Russian forums and it was – and continues to be – updated regularly.

The speed at which software exploits spread around the deep Web, giving technically skilled criminals the chance to find ways to use it, didn't give other financial institutions much time to patch the holes in their infrastructure to stay ahead of attackers.

But at firms that scour the darker corners of the Internet to learn what hackers know and are selling – such as Recorded Future, where I'm the cofounder and chief executive – we were able to get ahead of the problem. Our technology alerted one of our clients – another large US financial institution – to how they were vulnerable and enabled them to quickly prioritize and patch systems to nullify the threat before they were hit.

That's the value of cyberthreat intelligence. Equipped with an information advantage we're able to outsmart the opponent. At the highest level, we can use intelligence to inform decision-making – all the way from strategy and policy to technical prioritization and blocking and tackling at the network level.

In many ways, being able to quickly analyze and respond to threats is the judo move of cybersecurity that can knock out the attacker. To challenge these kinds of sophisticated opponents, we need more than brute force. The judo master uses intelligence and preparation to beat the opponent. The judo move against the digital foe is cyberintelligence – an information advantage mined from the Web.

Many proposals are currently floating about as the best way to defend against enemies on the Web. One of the most talked about is information sharing. Indeed, brilliantly executed information sharing does have an opportunity to be a strong countermove on the attacker – but many obstacles remain in the way.

As logical as it seems to share information, a surprising number of counterincentives stand in the way of meaningful sharing. Legal and financial obstacles are abundant – and since cybervulnerabilities are just that, potential vulnerabilities, there are many intelligence and information advantage reasons entities hold back on sharing.

Sharing vulnerabilities might expose where an organization is weak. Corporations express that sharing intelligence with the government is a one-way street – data goes in but doesn’t come back. Cyberintelligence data may seem like technical data but might very well include private data on individuals – and sharing that opens up multiple challenges. Finally, there are indications that security, for better or worse, it starting to be perceived as a competitive advantage, and this could also hinder sharing.

Others suggest more offensive ways of fighting back – such as going after the hackers. But this is risky. As a country, we certainly have the wherewithal to strike back, but what happens when a private company hits back at another company that's engaged in economic espionage? What if a US company inadvertently takes down a significant part of another nation's critical infrastructure in the attack. The blowback could be far more damaging that the original hack. We would not allow this kind of retribution in the physical world, and we should not allow it in the digital realm, either.

But by developing more effective ways to use real-time intelligence we can detect, limit, and even prevent attacks.

Executing an attack does leave traces. There may be traces on networks and equipment. There may be malware code left behind. Attacks happen in sync with geopolitical and business events. Actors may have work schedules or time endeavors with political anniversaries. Actors often state their intents on social media before and after attacks. And they discuss their approaches and intents in the underbelly of the Internet.

When you know where to look, and how to use the information you find, there's plenty to learn when it comes to improving cyberdefenses. It's this kind of intelligence that allows for outsmarting a nimble, distributed, and asymmetrical cyberfoe – and it's the ultimate takedown.

Christopher Ahlberg is the cofounder and chief executive officer of Cambridge, Mass., threat intelligence firm Recorded Future, which received funding from Google Ventures, IA Ventures, and the CIA backed venture capital outfit In-Q-Tel. 

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to Opinion: Threat intelligence is the judo move needed to take down hackers
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0415/Opinion-Threat-intelligence-is-the-judo-move-needed-to-take-down-hackers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe