One problem for many organisations is that they do not really understand the threats they are facing, and therefore don’t understand what risk controls to select and implement. That lack of understanding is often compounded by insufficient investment in cyber threat intelligence acquisition and cyber security controls.
It is important to ask yourself: are you chasing false flags, and failing to analyse your own internal and external threats with the necessary tools, techniques and practices? Do you have gaps in Cyber Threat Intelligence or, at worst, no intelligence? If so you cannot adequately understand and respond to the most likely threats to your organisation, which in turn could lead to additional gaps in mitigation planning.
What can you do? Take the following plan under consideration:
- Improve intelligence on all levels of adversary actions, methods and intent.
- Integrate capability into areas of policy, procedures, and practices.
- Tighten links between warning and response.
- Playbook scenarios — incorporate alternate images of adversaries.
- Adapt postures to counter threats
- Detection, protection, and tracking.
- Deception detection.
- Deterrence, pre-emptions and prevention.
- Develop a deterrent strategy.
- Develop methods of organisational intelligence assessment.
- Deny adversaries achievement of their aims.
- Avoid lengthy mobilisation processes and action indicators with a system and people tailored to the problem.
- Converge resources to save time and response delays so can optimise response actions.
The best process which best supports these initiatives is Cyber Threat Intelligence (CTI). This can be described as a function to support the protection of business assets and staff. Additionally, it serves as a preventative function utilising security operations centre support, triage, and alerts, and as a response function through Incident Response Support.
By developing a talented, capable and ready team of CTI staff you establish a capability to support keys areas in your IT department:
- Security Operations Centre
- Incident Response and Digital Forensics
- System Engineering and IT
- Business Operations, and
- Vulnerability and Risk Management.
CTI involves the collection, collation, analysis, and evaluation of information identifying potential adversaries’ intent, motivation, tools, and techniques. Intelligence products are then developed and disseminated to the customer to provide situational awareness, indications, warnings, and alerts.
It does this by collecting and collating internally and externally sourced data feeds and indicators of compromise present in previous attacks to similar enterprises, to discover their tools and techniques, These in turn are used to design risk controls to mitigate foreseeable risks. The product is then available to the customer as threat data feeds, threat indicators, and strategic CTI. The degree of complexity and comprehensive analysis is dependent upon the customer’s needs and requirements and can be tailored to suit the customer.
Intelligence products support CISOs and IT managers’ decision-making when preparing budgets for prioritising IT security products, new technologies, and staff. It is essential that CTI is communicated in a manner that is understandable by non-technical related audiences.
Cyber Threat Intelligence also enables incident response teams to act and move on early clues, to contextualise the problem and thereby validate the threat and its effects before it can advance throughout a network. Furthermore, it fuses into the operating picture of your network infrastructure to highlight new attack surfaces and critical systems that may be at risk of exposure. It supports IT operations, scenario-driven exercise planning and response testing by presenting attack models and predicting the course of action by the threat if it were to evolve and attack one or more network systems and data storage facilities.
In practice, the key to producing and delivering Cyber Threat Intelligence is to know your audience and its specific requirements. Your audience will shape your delivery, as some will have different intelligence needs, and others will require data in different formats. It should be written and presented in a language that allows for ease of interpretation and explanation, and provides insights and context to support control selection and critical decision-making.