The strong link between cyber threat intelligence and digital risk protection

While indicators of compromise (IoCs) and attackers’ tactics, techniques, and processes (TTPs) remain central to threat intelligence, cyber threat intelligence (CTI) needs have grown over the past few years, driven by things like digital transformation, cloud computing, SaaS propagation, and remote worker support. In fact, these changes have led to a CTI subcategory focused on digital risk protection. DRP is broadly defined as, “telemetry, analysis, processes, and technologies used to identify and mitigate risks associated with digital assets.”

Earlier this month, I examined ESG research on enterprise CTI programs. CISOs are investing here but challenges remain. I’ve also dug into the CTI lifecycle. Nearly three-quarters (74%) of organizations claim they employ a lifecycle, but many describe bottlenecks in one or several of the lifecycle phases.

ESG defined cyber threat intelligence as, “evidence-based actionable knowledge about the hostile intentions of cyber adversaries that satisfies one or several requirements.” In the past, this definition really applied to data on IoCs, reputation lists (e.g., lists of known bad IP addresses, web domains, or files), and details on TTPs.

How digital risk protection drives cyber threat intelligence adoption

The intelligence part of DRP is intended to provide continuous monitoring of things like user credentials, sensitive data, SSL certificates, or mobile applications, looking for general weaknesses, hacker chatter, or malicious activities in these areas. For example, a fraudulent website could indicate a phishing campaign using the organization’s branding to scam users. The same applies for a malicious mobile app. Leaked credentials could be for sale on the dark web. Bad guys could be exchanging ideas for a targeted attack. You get the picture.

It appears from the research that the proliferation of digital transformation initiatives is acting as a catalyst for threat intelligence programs. When asked why their organizations started a CTI program, 38% said “as a part of a broader digital risk protection effort in areas like brand reputation, executive protection, deep/dark web monitoring, etc.” The research also indicates that 98% of enterprises now have some form of DRP in place.

Most important digital risk protection functions

To delve further into DRP, ESG asked security professionals to define the most important DRP functions at their organizations. Here are the top six responses:

• Vulnerability exploit intelligence: Vulnerability management programs regularly reveal hundreds or thousands of software weaknesses, but how do you decide which ones to mitigate first? By knowing which vulnerabilities the bad guys are exploiting. DRP can align vulnerabilities and known exploits, providing useful intelligence for patching prioritization. Note that this can also be done with risk-based vulnerability management tools (e.g., Cisco/Kenna, Ivanti, or Tenable).
• Takedown services: The UK National Cyber Security Center defines takedown services as follows: “Takedown services aim to reduce the return on investment for attackers by removing sites and blocking any attack infrastructure to limit the harm that these attacks can cause.” When fraudulent phishing sites or mobile applications are discovered, takedown services are the shortest path toward risk mitigation.
• Leaked data monitoring: Whether it’s an insider attack, employee negligence, or sloppy behavior, data leaks are all too common. DRP seeks out leaked data before it can lead to corporate damage.
• Malicious mobile application monitoring: So-called “grayware” can corrupt user devices or sully an organization’s reputation. DRP intends to find and squash them on legitimate and underworld app stores.
• Brand protection: Brand protection safeguards the intellectual property (IP) of companies and their associated brands against counterfeiters, copyright pirates, patent infringements, etc. These may be associated with phishing sites or even phony physical goods. DRP scans the Internet for imposters, fakes, and scams.
• Attack surface management (ASM): ASM is the continuous discovery, monitoring, analysis, and remediation of all assets on the attack surface. In some cases, ASM is included as part of DRP services.

DRP can also include dark web monitoring for gossip about an organization and potential targeted attack planning. This intelligence can help organizations get their shields up. Rather than spin up a DRP program, many use DRP service providers like CrowdStrike, Cybersixgill, Digital Shadows (Reliaquest), Intsights (Rapid 7), Mandiant, Proofpoint, and ZeroFox.

Regardless of its form, DRP must be part of a mature cyber threat intelligence program. Before folding these two areas together, CISOs should approach DRP with a threat intelligence lifecycle approach. Successful DRP programs will be driven by the creation of clear priority intelligence requirements (PIRs), strong analysis, customized intelligence reports, and continuous feedback.