Threat intelligence is a powerful tool for assessing cyber risk (both current and predictive). In the right hands, the data it collects can also be used to guide a variety of proactive and preventative safety measures. When combining threat intelligence with offensive security assessments (pentesting) it gives businesses a definite advantage in their security resilience and peace of mind that pentesting alone doesn’t cover, and threat intelligence alone doesn’t provide.
Penetration testing or offensive security assessments has become a vague term that might mean different things to different businesses nowadays. There are a number of ways in which businesses can conceptualize such assessments or penetration tests, and they vary according to factors including prior experience or exposure to it, the level of cyber security sophistication and maturity, and the level of risk an organization faces.
Additionally, a threat intelligence program may already exist at your organization. However, many directors and other C-level executives still don't have a strong grasp on how threat intelligence might be leveraged to strengthen an organization's security. Yes, threat intelligence in the right hands has the ability to make your company 40% more cyber-resilient. To be fair, this is mostly true if you employ proper and actionable threat intelligence tailored to your business operations and company needs. Unfortunately, investing in threat intelligence is considered useless by some in the security business (and afterwards we hear about their data breaches in the media).
By definition, "threat intelligence" is information based on evidence about current or emerging risks or threats to assets that can be used to help make decisions about how the company should respond to that threat. To put it briefly, threat intelligence is knowing what threats your company faces.
Most ideally, that would involve answers to questions like the following:
• Who will most likely try to attack you?
• What things are threat actors probably going to go after? Crown jewels, assets critical for business operation; this requires tailored and comprehensive business/threat mapping.
• When are attacks most likely to take place? Are there any indicators of an upcoming cyberattack towards the business, activity or discussions?
• Exactly what means or TTPs will they use to launch their attack? Take into consideration technology targeted tools threat actors might leverage against the business.
Of course, not every business has access to or makes use of each of the aforementioned intelligence sources and insights. Often, threat intelligence alone by automated platforms don't usually shed enough light (let alone actionable data) on the threat landscape and the range of threats a company faces.
An effective risk-based security program cannot ensure safety against truly new threats, but a good threat intelligence program involving a manual, automated and threat-led offensive approach can help a business get a leg up on the competition in this area. In light of these observations, it should be clear that threat intelligence is a powerful tool for assessing cyber risk (both current and predictive). The data it collects can also be used to guide a variety of proactive and preventative safety measures.
How to not consume threat intelligence
The most crucial point to remember about threat information is that it is useless unless it is used to guide some kind of response. If threat intelligence cannot be immediately put into action, it is useless.
Furthermore, it is imperative that your organization's environment, security program, industry, and risks be taken into account while analyzing tailored threat intel (including some of the things I have mentioned above).
Bad threat intelligence, alas, may be found anywhere. Free threat feeds and industry news websites may feature interesting but non-actionable content. In the wrong hands, this sort of knowledge can consume a lot of time and lead your business resilience to nowhere.
Your business will quickly find itself chasing after stories and indicators of compromise (IOCs) that aren't relevant to your needs, just as many firms do in response to the current security news. Keep in mind that stories in the media may be captivating, but they aren't always useful for your business (that is unique in its business operations, crown jewels, and other critical factors).
In contrast, efficient threat intelligence always displays these two main traits:
• It's something that your business can use.
• It can be put to use right away.
It might not be newsworthy enough to get everyone talking, but if implemented, it could significantly boost your company's security and resilience, or simply ensure the maintenance of existing operations and its availability (in particular if the business is customer-facing).
Powerful combination in action
The connection between threat intelligence and pentesting or offensive security is that it aids pentesters in more closely simulating the actions of actual threat actors and their existing TTPs on the business, and not only that but also to leverage threat intelligence data for closing the gaps missed in classic and routine pentesting practices today. These are the things that are included:
• With threat-led pentesting, you are focusing on the assets, systems, and apps that pose the greatest risk to your business based on the most recent threat activity (relying on intelligence from clear, deep, dark web, etc.).
• Using the most cutting-edge TTPs (tactics, techniques, and procedures) currently utilized in your field and area of operation.
• And most importantly, correlating threat data with data from penetration testing practices allows business to cross-match between information or valuable insights that is often missed in each of these practices by themself, closing security gaps that are critical for the business continuity.
Not only for penetration testing or offensive security, but also for a wide variety of other security practices, as demonstrated by the image below, intelligence can be a driving factor in decision making and can provide key insights, supplying decision makers with the ability to make decisions that are both more accurate and more business-efficient.
That is to say, threat-led pentesting aids testers in gauging an organization's resistance to simulated real-world incidents. For this reason, it is sense to use threat intelligence as part of the pentesting and offensive security procedure or practices today.
So, what does an offensive assessment or a pentest that is driven by threat intelligence look like in action? The first order of business for a pentester is to determine:
• What assets are most in risk/valuable?
• If and how will those be attacked (TTPs)?
• What gaps do intelligence insights enrich in the pentest results?
Once these details are established, the pentest can be tailored to its specific purpose or scope by properly assessing the risk posed by various threats from intelligence sources, the assets that are most likely to be targeted or are actively targeted, and the TTPs most likely to be employed by a combination of a security questionnaire and hands-on expertise.
Below is an outline of how to profile potential risks:
• Construct an outline of the company's background and strongest points.
• Detail the main vulnerable areas per business operation.
• Deconstruct vital systems into their individual elements so you can test them individually. • You need to find potential attack paths and common attack vectors before you can employ them in testing.
• Match major threat actors with their goals and TTPs.
• Outline important intelligence insights to reinforce, re-evaluate and close significant security weaknesses.
Organizations with active threat intelligence programs are encouraged to share their discoveries with pentesters as part of this procedure. In order to get the most accurate results from pentesting, this can assist in prioritizing the assets and threats that pose the most danger to the business.
Every major security framework, from PCI DSS to HIPAA to NIST, is predicated on the idea of minimizing risks. This is the most commonsense approach to designing a safety system.
Threat-led pentesting is a natural outgrowth of this mindset. It's a method for zeroing in on the risks and assets that pose the greatest threats to a company so that more thorough, realistic and accurate (and also valuable) pentesting can be performed, so the business can see the full picture of the risks they face.
In almost every offensive engagement of this sort, experts leverage a variety of tools either for web or network, but often it includes great tools like https://www.shodan.io/ – an “internet connected devices” search engine that has a lot of versatile uses to it, for security researchers, pentesters, and also threat intelligence experts. Alternatively, it is also highly used (or abused) by threat actors that are seeking to identify “low hanging fruit” findings on target businesses, such as easily exposed interfaces, admin access portals, or misconfigured infrastructure that allows easy access, bypass, or damage to the businesses assets.
Another example is https://leakix.net/ - an amazing search engine I discovered on the depths of the web and wrote about back in 2020. https://pentestmag.com/looking-at-active-cyber-threats-with-leakix/ this is another example of how both worlds of threat intelligence and pentesters can come together into one, aiding companies to see what the bad guys see on both sides of the wall.
Some businesses acknowledge their need in threat intelligence or pentesting alone, however what they do not acknowledge or understand is that it is highly likely there will always be gaps in findings, gaps in security, and gaps in fully understanding the threats the organization faces, resulting in open doors to cybercriminals and cyberattacks. However, the practice in the right hands of combining threat intelligence with offensive security will generate a truly full threat picture of the business tailored to its operations, critical assets and ensure higher cyber-resilience. This integrated approach enables directors, CISOs, and other C-level decision makers to view the true and accurate picture of their business's targeted risks, allowing resources and security choices to be directed in a more narrow and focused, security-gap-free path.