RomanenkoAlexey - Fotolia

Why predictive threat intelligence is key

Threat intelligence startup Cyfirma is using virtual agents to gather intelligence on potential cyber attacks that are being coordinated in underground forums before they occur

When Kumar Ritesh left the British intelligence service to take up various roles in cyber security at IBM, PricewaterhouseCoopers (PwC) and global resourcing firm BHP, he saw problems in the way threat intelligence was being put together and consumed.

At BHP, where Ritesh was chief information security officer, board members often wondered which threat actors were responsible for the growing number of cyber threats targeted at BHP between 2014 and 2015.

“Within a year, we started to see new threats and attacks coming towards us that were more focused on disrupting our mining operations and exfiltrating information,” Ritesh said. “It was well-planned, but what was important was to really understand why this was happening.”

But none of BHP’s top cyber security suppliers, including established ones like FireEye, Palo Alto Networks, Recorded Future and Cisco, had a clear answer – even though Ritesh had a plump security budget of nearly $200m.

“Everybody was getting too involved with how it happened,” Ritesh said. “It looked like there was a phishing email that somebody clicked on that got a malware installed, and the malware was trying to take out information from the organisation.”

Pointing to the different stages of the cyber kill chain, Ritesh said even before knowing how a cyber breach happened, organisations need to know the 5Ws: who the attackers were, what were they after, when they would attack, where they were and why they were planning an attack.

“All of that forms part of your management intelligence and only when you have answers to the who, what, when, where and why can you get to the how part of the problem,” he said, stressing the importance of having intelligence contextualised for an organisation’s operating environment.

“Until your intelligence is very specific to your industry, the location where you’re operating from, or your infrastructure, there is no meaning to intelligence,” he added.

Most threat intelligence also tends to be reactive rather than predictive, Ritesh said. For example, when a new malware emerges, threat intelligence suppliers often tailor the indicators of compromise (IOCs) to an enterprise, which then applies them across its infrastructure to suss out threats.

“If intelligence is not predictive, it’s not intelligence,” Ritesh said. “If you look at agencies like the Central Intelligence Agency, and I’ve worked very closely with them, when we provide intelligence to a law enforcement agency, it’s always based on information we have processed, and we say this is where things are heading. Then, law enforcement agencies can take corrective actions to properly react to it.”

Ritesh saw the business opportunity in building a threat intelligence platform that would help enterprises discover cyber threats, decode signals from noise to gain useful insights, and take remedial actions against cyber criminals before an actual attack occurs.

With just four slides, Ritesh made his pitch to venture capitalists and investors. One of them, Goldman Sachs, bought the idea and had him incubate his business as part of the research and development (R&D) arm of Antuit, a big data analytics startup that the investment bank had been funding. In 2019, the unit spun off from Antuit to form Cyfirma where Ritesh is now chairman and CEO.

Today, the company has offices in Singapore and India, as well as in Japan, a demanding market where it counts large corporations such as NEC, Toshiba and NTT as clients. “If we didn’t have the highest possible quality of intelligence or if our platform was not very sophisticated, we would not exist in that market,” Ritesh said.

The key to delivering contextualised, actionable threat intelligence usually requires suppliers to have some knowledge of a client’s operating environment, but such information is usually deemed too sensitive.

Having had similar concerns when he engaged threat intelligence firms while he was at BHP, Ritesh said Cyfirma tries to put itself in the shoes of perpetrators to identify those who may try to break into a client’s network.

This is done by deploying 900 virtual agents to find out what threat actors are saying on underground forums and marketplaces such as the dark web, with an eye on connecting the dots between campaigns conducted by the same perpetrators and identifying any links with nation states and hacker groups.

All that data is ingested into the Cyfirma platform which then applies a mathematical model to process the data and find answers to the 5Ws. “If we can’t find the answers, then we go back to our data sources to hunt for more information,” Ritesh said.

Making sense of the threat intelligence is key, but as different stakeholders look out for different facets in the data, Cyfirma offers four different dashboard views.

These include a threat view for security chiefs who are interested in operational information, and a risk view for risk and compliance heads who want insights on how their organisations’ cyber security posture differs from that of their peers in the same industry.

To reduce the number of false positives, Ritesh said threat intelligence is presented to clients only if there is high confidence that threat actors have taken specific actions such as targeting certain vulnerabilities and setting up command and control servers to facilitate an attack.

“Our ability to reduce false positives is very high,” Ritesh said. “If I have to give you a number, I would say 80% of the time we are able to give you the insight which is applicable to you – and that has been our secret sauce.”

Having raised $8m from Goldman Sachs, Zodius Capital and Z3Partners, Cyfirma is now looking to raise $25m in Series B funding to improve product integration with other security solutions and expand its reach into the US, Europe and the Middle East.

Read more about cyber security in APAC

Read more on Hackers and cybercrime prevention