Why risk scores are essential for security response

By Recorded Future

Staffan Truvé, Chief Technology Officer and Co-founder of Recorded Future, discusses why organisations need threat intelligence today.

Cybersecurity is like an “arms race” that keeps escalating, says Staffan Truvé, Chief Technology Officer and Co-founder of Recorded Future. Organisations and attackers constantly compete against each other to increase the strength and number of their ‘weapons’.

To top it off, the playing field isn’t equal. “The defending side needs to succeed, every time, every second, whereas for the bad guys, it’s enough to just succeed once,” he adds.

Threat intelligence is crucial to “stay one step ahead of the bad guys”, Truvé says. He shares how Recorded Future aggregates intelligence into a risk score to help organisations respond smarter and quicker.

The arms race

As more organisations go digital and get connected to each other, the attack surface has expanded, says Truvé. The volume of threats and lack of security personnel has driven the uptake of automation.

But as organisations start to automate their defenses, attackers will use the technology too, says Truvé. “If you go to some Russian underground forums, you actually see them advertising tools which automates some attack methods and so on.”

Threat intelligence has never been more necessary. Organisations can be informed of upcoming attack trends and start preparing for them, “rather than clean up after an attack, which is what a lot of security people spend their time doing.”

Calculating risk scores

Recorded Future calculates risk scores of malicious entities to guide security decisions, says Truvé. The scores sort possible threats according to urgency and risk, saving analysts time from chasing after false positives and helping them decide what to prioritise.

Its technology also scours relevant security information from every corner of the web for better risk analysis. It shines light into hacker, criminal and extremist forums to find out if an IP address has been mentioned there, says Truvé. If an IP address has been on a blacklist or mentioned in an underground forum, it will contribute to a higher risk score.
Image: Recorded Future. 

Organisations can also track different threat actors’ activity and stay ahead. Machine learning understands and consolidates information across 12 different languages, along with research from the company’s analyst group Insikt, into a single Intelligence Card.

Third-party intelligence

As more organisations go digital and get connected with each other, the attack surface increases. Recorded Future also calculates risk scores of companies to help organisations decide whether potential partners, suppliers or customers “have their cyber security in good shape,” Truvé says.

“We look for example at if they have a lot of passwords credentials floating around on dark websites or if their public web servers are running up-to-date software,” he adds. This information is aggregated into a numeric risk score along with other factors. A chart also allows organisations to see when and why the score increases or decreases.

If an organisation sees their partner’s risk score go up, it can communicate with them to address possible vulnerabilities, says Truvé. As of today, the company has created about 175,000 intelligence cards for different organisations.

Real-time alerting

Organisations can also set up real-time security alerts, says Truvé. That can include alerts on new malware targeting their industry, or a suspicious new domain impersonating their organisation.

A US financial institution successfully used Recorded Future’s technology to avoid a security risk, Truvé shares. “A warning said that someone had uploaded a lot of their source code, including passwords to databases and stuff to GitHub.”

“It turned out a consultant working for them had uploaded some code because he wanted to be able to work from home,” says Truvé. Code popping up online happens quite frequently, he adds, and it’s important to monitor that.

But it would be “completely impossible” for humans to continuously monitor everything related to the organisation on the Internet, he says. So threat intelligence and alerting becomes essential.

In the arms race of cybersecurity, context and insider information is key to staying ahead. Threat intelligence provides just that, and is a beacon of hope for today’s complex security landscape.