This article is based on the “Putting Threat Intelligence to Work” session at ChannelPro’s Online Cybersecurity Summit: Smart Security, held December 2022.
ACCESS TO THREAT INTELLIGENCE allows an MSP to better protect clients by being more proactive. It can also be a valuable tool for educating both your staff and your clients on the threat landscape and the importance of good cyber hygiene. However, you don’t want to drown in information. Membership in an Information Sharing and Analysis Organization (ISAO) can be an affordable way to get and filter threat intelligence, even for smaller MSPs.
An ISAO gathers, disseminates, and documents cyber threat intelligence across communities of interest or membership organizations. ISAOs stem from Information Sharing and Analysis Centers (ISAC), non-profit organizations that share information between the public and private sectors and focus on the critical infrastructure of particular industries, such as healthcare or IT.
Industry organization CompTIA established its ISAO in 2020 and has a strong relationship with the IT ISAC, which is sponsored by the federal Cybersecurity and Infrastructure Security Agency (CISA), according to Wayne Selk, CompTIA vice president of cybersecurity programs and executive director of its ISAO.
Wayne Selk
To illustrate the effectiveness of an ISAO, Selk uses the analogy of a scuba diver who encounters a shark. “If you encounter a shark underwater, you need to make yourself as large as possible, because the shark does not want to attack anything that appears to be bigger than itself. It might still, however, which is true in the analogy sense that I’m using here. But collectively, if we’re all together as a much larger entity sharing information, we can kind of stem off the attacks, or at least find out about them sooner to be able to protect the rest of the community as a whole.”
The Benfits of Threat intelligence
Threat intelligence means different things to different people, depending upon the context in which they’re trying to use it, explains Selk, but it’s essentially information. “Obviously, there are indicators of compromise, of potential threats that exist in the wild, on the wire, in systems all day long.”
Clients need to understand the threats that impact their business, he continues, “and the solution providers are at the forefront of being able to help gather that information and then share it down to their clients for their specific, unique, industry vertical.”
Threat intelligence can help MSPs better protect their clients. “Threats are constant. They’re always incoming, they’re always changing different tactics and ways of doing things,” says Dave Alton, CTO for Strategic Information Services Inc. (Sirinc), a managed service provider with offices in Los Angeles and Houston, and a CompTIA ISAO member. “What we have really used the ISAO for is two things. One is that moment to moment view of, OK, what’s really happening in the world right now? Give it to me in a digestible way, something that I can … do something about, versus hearing it on the news or reading it in one of the blogs.”
Second and more important, Alton says, is using the knowledge of the community. “Knowing what threats look like and how they’re going to come in is such a huge advantage for me; just doing the smart things that you need to do to protect an organization. That is really, at the end of the day, how we use threat intelligence day in, day out.”
CompTIA ISAO member Patrick Burgess, co-founder and technical director at Nutbourne, an MSP in London, says access to threat intelligence has enabled his firm to “move from reactive to proactive in a lot of the ways we work.”
As a result, Nutbourne has been able to, say, patch servers before news of a threat makes it to the media. When clients ask about what they saw on the news, he can respond, “‘Yeah, that was the thing we fixed yesterday. That’s why we did that.’ Not only does it save us having to deal with the problems that come out of it if we get to it fast enough, but it’s also really helped us look good at that and be good at that. That’s really important.”
Burgess also uses intelligence to educate his staff on new threats—how big they are, what the vectors are, and where they’re coming from. “It really helps your staff stay alert and look for the oddities that are going on in the world. And that, again, from a proactive perspective is really positive.”
Dave Alton
Threat intelligence can be used to educate clients as well. Alton says his clients initially didn’t understand why the Log4j vulnerability was “a big deal.” His firm used it as an educational tool. “We had some very interesting technical details about it. We had already scanned most of our clients’ networks by the time they were hearing about it. … We’re not a security practice, but we used a lot of tools to help manage and lower the attack vectors and the surface area of the attack.”
In addition to containing the threat, Alton used the opportunity to have a conversation with clients about the additional layers of protection they needed. “It’s really difficult to talk about security threats because they’re very ethereal until you’re in the weeds … And this was a way for us to get that foothold so that we could protect networks better. And we added a whole bunch of new tools, procedures, and better practices.”
Burgess had a similar experience with Exchange vulnerabiities in January 2021. Threat intelligence enabled his organization to get ahead of the patching, which he says gave him credibility with customers. However, he adds, the biggest vulnerabilities persisted for months, so it required ongoing work. “There was so much that needed to be done. Not only patching but investigating and understanding and temporary lockdowns that needed to be done until the patch came out from Microsoft.”
The CompTIA ISAO gave him “a team of people in a forum who are talking about this and working their way through best practices. …Double checking and bouncing these items off people was not only helpful but comforting. It meant that we weren’t sitting there on our own as an MSP.”
Threat Intelligence Is Not Just for Big MSPs
Alton says access to threat intelligence enables him to “react and act like a much larger MSP because I feel like I’ve got a whole team behind me. You pay a tiny fee to have access to that. … It really has become our backstop in a lot of cases.”
Patrick Burgess
Burgess recommends filtering the information by prioritizing what could impact your stack. “We look through those feeds on a regular basis.” If it’s relevant to their stack, they’ll look deeper, he explains.
Alton says he is primarily the curator of the information; actionable intelligence comes to his email inbox and informational intelligence goes to a separate folder. He forwards relevant information to the appropriate staff. “Most of the threats that come in are not about me specifically … and a lot of them don’t affect my stack, don’t affect our industries that we work in, but they are great educational tools,” he notes.
Concludes Selk, “It really does take a village for folks to be able to understand threats associated with things that are going on.”
Image: iStock / DrAfter123
