Security Experts:

Who Should be Using Strategic and Operational Cyber Threat Intelligence

Cyber threat intelligence traditionally has been created for and used by a small group of individuals, many having come out of the US intel community. But with all the buzz around threat intelligence, it’s important for folks to understand the value and use cases that extend well beyond this group. 

Specifically, strategic and operational threat intelligence can and should feed many different security processes and risk management decisions. But threat intel also needs to be tailored to its audience as it means different things to different people, whether it’s on-the-network defenders, Red Teams, threat analysts, risk officers, business executives and Board of Directors, legal, application owners, and so on. 

I’d like to go through some of the key roles that I’ve personally worked with at customer organizations around using cyber threat intelligence, both as a former CISO and now as a vendor.

• Defenders

As I wrote late last year, cyber threat intelligence (CTI) can add a lot of value to your incident response process, from a proactive and reactive perspective. Proactively, CTI helps defenders pre-plan for incidents and breaches. By understanding relevant threats and the TTPs used by adversaries, defenders can ensure they have the right plan in place to put into action if necessary. From a reactionary perspective, when a breach occurs, defenders have to research and understand what happened - how the attack occurred, what was exploited, what was the path taken, how was the threat executed, etc. With CTI, defenders can have more context to help answer these types of questions. 

• Vulnerability Management Teams

When it comes to vulnerability management, threat intelligence can provide insights into what controls mitigate a specific vulnerability or threat and help you understand if you’re applying the right resources to the right controls. Applying practical, finished threat intelligence to daily cyber security processes will improve decision-making and focus when it comes to vulnerability remediation. 

Personally, I take a zone-based approach where the infrastructure is divided up into zones based of off threat exposure. Threat intelligence helps identify what threats are active from what I like to call the “avenue of approach” perspective in regards to the zone you are assessing and what TTP’s those threats are currently leveraging. Vulnerabilities that are used  in the avenue of approach should obviously receive a higher priority for remediation. CTI can be used to drive risk impact decision-making around what vulnerabilities should be fixed first. 

• Threat Analysts

I know this one seems a bit obvious right? But as noted in a previous article, there are different kinds of threat analysts, with different skillsets. The really good threat analysts that I’ve worked with have had both intel and security expertise. Having different levels of threat intelligence at an analyst’s fingertips is useful because they can use it in different ways. Strategic threat intel can help provide the big picture in terms of trends to focus on based on how others are being impacted by specific threats. Operational intel provides that TTP level analysis and understanding - what is the path that an adversary is using to gain unauthorized access and execute something malicious?

Analysts should be able use intel to determine what “opportunities” threats are currently leveraging and how those threats impact the products and services that their organization delivers. As a CISO, one of my main requirements to the team was: “Are we well-positioned from a cyber security perspective, or are we not? If not, why not?” The outputs of this effort should be giving the decision makers (such as your CISO) a level set on your security hygiene.  

• Information Security Management

Cybersecurity groups are generally considered a cost center and management is typically tasked with squeezing more value out of their budget. Now I’ve seen threat intelligence go in two different directions here. For groups that do not have the expertise in place and start going on a data feed shopping spree, the results are generally not so great. High expense and little value to show for it because after you buy all that data, you still need people and tools to process it and turn that data into insights that you can make decisions against - increasing your hidden cost too. I’ve personally dealt with this when I was a CISO and implemented a heavy GRC solution. Make sure you understand all the costs (in terms of budget and tax on your resources).

On the flip side, we work with companies varying from midsize to enterprise where we either are their threat intel team or are an extension of it, providing analysis and insights specific to their business, supply chain and industry. Without needing to buy more data and more people to process, our customers get practical threat analysis and mitigation recommendations specific to their business, allowing them to focus on the right areas and extend their overall security capability and efficiency.

• C-Suite and BoDs

Business executives and Boards generally do not understand - or even want to understand - the ins and outs of cybersecurity. Details on threats, talking in bits and bytes will not move the needle with this group. What they care about is managing the risk to their organization. Strategic threat intelligence can help the c-suite understand the risk generated by a defined threat - what’s the impact and what resources are needed to bring that risk down to whatever they’ve defined as an acceptable level. Looking at the impact of threats from the perspective of the risk to the organization speaks to C-Suite and BoD concerns because it quantifies threat impact in terms of the impact on the business.

Ultimately strategic and operational threat intelligence can and should be used by many different roles in your organization, to make more informed decisions around risk management, threat prevention and incident response. The key is figure out how CTI can augment and enhance your existing processes (as opposed to creating an entirely new approach) by giving the team members, team leaders and managers better fidelity on what threats the organization faces. Ultimately to make the organization more defendable, it’s not about how good of a decision a CISO makes everyday - it’s about team members making sound decisions at every level in the process. 

view counter
Adam Meyer is Chief Security Strategist at SurfWatch Labs. He has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, he was CISO for the Washington Metropolitan Area Transit Authority. He formerly served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands. Mr. Meyer holds undergraduate and graduate degrees from American Military University and Capitol College.