The Central Intelligence Agency (CIA), Secret Intelligence Service (M16), Intelligence Bureau (IB), and other intelligence agencies of different countries worldwide would not be viewed as prestigious institutions if information gathering is a simple and straightforward job. Intelligence work is not as easy as tracking and reporting rumors.
The job of intelligence agencies involves sophisticated strategies, techniques, and protocols. They do not simply lay out news gatherers and spies to accumulate whatever kind of information they can take. Intelligence agencies do not wait for specific details about specific threats before they decide that there is an impending attack. They perform analyses, triangulations, inferences, extrapolations, and deductions to decide if a threat is incoming and facilitate defensive preparations.
All these are comparable to the role of cyber threat intelligence. For organizations to determine what the threats are and prepare for them, it is important to perform intelligence gathering. To narrow down the probable threats and attacks that are likely to compromise the established defenses, it is advisable to undertake threat intelligence-led penetration testing.
What is threat intelligence-led testing?
The international nonprofit organization CREST defines intelligence-led penetration testing as the process of evaluating the reliability of critical functions that may become the subject of sophisticated and persistent attacks. Essentially, it is about using cyber intelligence to come up with a penetration testing simulation that takes into account a wide range of updated information.
The test is undertaken by penetration testing providers that have experiences in dealing with various types of organizations and an extensive array of threats. Ultimately, the test aims to provide the most realistic form of assurance that an organization’s security system is adequate in preventing threats or in mitigating their adverse impact.
Why is threat intelligence necessary?
“The purpose of intelligence-led penetration testing is to assess and provide insight to entities’ resilience capabilities against a real-world simulated cyber incident intelligence,” writes an EC-Council blog post on the purpose of intelligence-led penetration testing. It is the fusion of cyber threat intelligence (CTI) and penetration testing.
There are times when standard penetration testing does not suffice. These instances happen because of the rapid succession of new attacks and their evolution or improved sophistication. The security systems of organizations may not be updated as fast as the threats come. As such, the attacks manage to exploit existing vulnerabilities or elude detection and penetrate successfully.
How does threat intelligence-led testing work?
One security solution that can illustrate the mechanisms, operations, and processes underlying intelligence-led penetration testing is Cymulate. This SaaS-based security platform’s Immediate Threat Intelligence vector, in particular, demonstrates how cyber threat intelligence plays a vital role in enabling effective cyber protection.
Cymulate’s Immediate Threat Intelligence system ensures protection against emerging and reemerging threats that are deemed to be actively propagating across the internet. It collects information from various authoritative sources including the Cybersecurity and Infrastructure Security Agency (CISA) and open source and commercial cyber threat intelligence sources.
Whenever a threat is detected to be in active propagation, Cymulate builds an immediate threats intelligence simulation, which is then posted to the Cymulate cloud platform. This usually happens within around 24 hours to make sure that the intelligence used and the corresponding responses to threats are up to date.
Once a threat simulation is posted, Cymulate users can check them out by going to the Immediate Threats Intelligence dashboard. Here, all of the newly detected threats are listed with their respective information.
The dashboard also provides the tools necessary to perform simulations that will determine whether the existing security system is capable of holding the threat at bay or if it will be necessary to implement security changes to deal with the threat.
The simulations are done on the cloud but they reflect the scenarios that will likely happen to a system if it were to encounter the newly detected threats. No actual attack happens to a user’s system even though Cymulate’s threat intelligence dashboard indicates the possible effects of a threat.
Cymulate’s Immediate Threats Intelligence system checks if the email filtering system, firewall, proxy services, DNS filters, and other security tools are working as they are supposed to. If the threat manages to pass through these, it is then tested if the endpoint anti-malware or Endpoint Detection and Response (EDR) solutions are able to stop the malicious software from writing to disk. All of the installed defenses detected by Cymulate are tested to find out how they respond to the new possible cyber attacks.
After the simulations are completed, Cymulate generates reports for the specific threats detected. Color-coded number scores in a scale of 1 to 100 are provided. The lower numbers are better.
Green scores indicate that the threat is being adequately handled. Orange scores entail that improvements or adjustments are necessary. Red scores, on the other hand, necessitate urgent action as they show that threats can be critically harmful.
The reports include recommendations on what needs to be done to make sure that the threats are blocked. These recommendations include changes in security settings, some tweaks, or major changes such as the replacement of the anti-malware application.
Intelligence-led penetration testing is about using cyber threat intelligence to perform simulations that are in line with the latest malware, attacks, and other threats that are of immediate concern as they are found to be actively propagating.
In the case of Cymulate, it is the platform itself that performs the CTI work by scouring data from various reliable cyber threat information sources. Cymulate then uses these data to run simulations that determine the impact of the newly discovered actively propagating threats. After this, the system provides insights as to what needs to be done to prevent the threats from successfully penetrating.
The entire process follows the sequence illustrated below. First, the attack outbreak (actively propagating threat) is identified through cyber threat intelligence. These threats are then evaluated if they have the potential to break through an organization’s security system. If threats are assessed to be capable of breaching defenses, the mitigation phase follows, wherein security recommendations are provided. Once the changes or security improvement recommendations are followed, a system is considered secured. Ultimately, a report of the simulation and status of a device or system is generated.
Cyber threat intelligence-led penetration testing is not an absolutely perfect and totally infallible security solution. There are potential challenges that can skew the results of the simulations.
At present, it is safe to say that most CTI sources are reliable and updated with the most recent cyber attacks and threats. The problem is in the system that makes use of cyber threat intelligence. It may not have a mature enough AI or machine learning component, which can lead to inefficiencies in using threat intelligence and running the most realistic simulations of how threats affect devices or systems.
Additionally, there’s the issue of organizations being unable to take full advantage of threat intelligence-led penetration testing. They may have difficulties with integration. There might be incompatibilities in rules and protocols.
As a research paper on the challenges of leveraging threat intelligence concludes, “Adopting AI/ML to predict and stop data breaches requires a holistic, organization-wide threat intelligence strategy that is fully-integrated in the organizational security management framework.” Organizations that lack cybersecurity proficiency and experience may not get the best results of intelligence-led testing.
Addressing the challenges
Starting from scratch with cyber threat intelligence-led testing is not impossible, but it can be costly and time-consuming. Logically, it would be advantageous to use a platform or build on an existing solution that already covers the most important aspects of CTI-driven penetration testing.
It makes sense to use a system like Cymulate’s Immediate Threat Intelligence to expedite the process of penetration testing while leveraging an existing cyber threat intelligence solution with a proven machine learning or AI-backed simulation platform. It is not only convenient; it also efficient in terms of cost, effort, and hardware and software requirements.