BLOG

Making Threat Intelligence Useful for Medium-Sized Enterprises

by | Sep 28, 2020 | Blog, Outside Intel

Medium-sized enterprises that don’t have sophisticated security operations teams typically focus on the basic blocking and tackling of information security: policies around financial controls, incident response plans, data retention policies, disaster recovery around user access, lifecycle management policies.

In addition, these companies tend to focus their limited resources on testing or auditing these policies for effectiveness. Their security stack will be bare minimums that can handle an incident: standard anti-virus, firewalls, and potentially EDR that pushes to a standard syslog server.

Where intelligence can assist enterprise at this level is mostly around public cloud environments, combined with “outside the firewall” information of how these platforms are regularly abused.

Fusing this together and making it relevant for organizations with limited security budgets can provide a far greater return on investment than spending on information feeds.

The primary vulnerabilities of cloud services include:

  1. Exposed Containers with default configurations including default-configured applications such as ElasticSearch and MySQL databases, as well as user interfaces like Kibana
  2. Exposed RDP allowing users to establish an interface with a remote system
  3. Malicious cryptomining secretly mining digital currency on systems owned and operated by another party
  4. Insecure protocol usage to establish encrypted links between web servers and browsers
  5. Misconfiguration resulting in data leakage is the most widely seen vulnerability in cloud services

For example, in the case of AWS, data leaks continue to occur due to customers changing the default permissions before starting to use S3 buckets. S3 buckets can be created either manually or programmatically. Misconfigurations are either an oversight on the part of admins or the relevant scripts grant excessive permissions. Default permissions on S3 buckets, once changed for temporary use, may never get reverted, thus leaving the door open for hackers to get access to sensitive data.

By monitoring for threat actors who abuse cloud services, including enticing enterprise victims to navigate to Pastebin and Github sites where actors usually upload first payload, a managed threat intelligence team is in a prime position to not only monitor, but to advise and prevent medium-sized enterprises from falling victim to these mistakes.

Check out Shane Schilling’s comments on the Cyber5® podcast on how threat intelligence teams can assist smaller medium-sized enterprises.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks