Generally speaking, cyber security’s focus has been on detect-and-respond approaches. In the 2016 DBIR published by Verizon, the reported time for adversaries to get in and out of your network is measured in minutes (or seconds), whereas the time to even identify that you’ve been compromised is measured in days.
To remediate threats, security has traditionally been about blocking and tackling. And there are a ton of tools and services out there… firewalls, AV, IPS, endpoint protection, and so on. Motivated cybercriminals are after high value targets and they often shift their tactics to evade detection – and they’re very good at it. Unfortunately it’s a lot like squeezing a balloon. If you squeeze one part, the other part will pop up, but if you go to squeeze the expanded section, the bottom will pop out.
So while the technical folks are scrambling to block the bad stuff from wreaking havoc, what’s the connection to the things the business traditionally cares about?
Consider the impact of successful (or ineffective) security on the company’s brand and reputation. What’s its impact on your legal and regulatory environment? How does it impact your bottom line? These are big picture questions that cannot be answered or measured by tactical security approaches. But they can be addressed by strategic and operational cyber threat intelligence.
The Threat Intelligence Stack and How it Ties to Your Business
When you look at the typical threat intelligence stack, you usually see discussion around “tactics, techniques and procedures” or “TTPs” and how they relate to the technical aspect of things. What is critically missing from the conversation however is how TTPs relate to risks against your lines of business. Too many organizational defenders are busy protecting an enterprise in the absence of asset priority. They don’t know what makes the organization run, what keeps it profitable, what its keys to growth really look like.
Every product and service your organization delivers depends on technology in some way to be successful. And because organizations continue to treat cyber threats as solely a technology issue and not as a business problem, they likely have little idea how that threat translates into a direct risk to the business unit delivering that product and service. And ultimately, the executive accountable for that product or service likely has little idea if they are well positioned against cyber risk.
To bring clarity to this issue and help your organization reduce uncertainty, each business unit head should start off with this simple question: Are we well-positioned from a cyber security perspective, or are we not? If not, why not? Well-positioned means you know your risks and you have an acceptable level of measures in place to mitigate those risks – ultimately shrinking your exploitable threat surface and being prepared to act swiftly when necessary. It means you are aware of threats to your organization and to what degree those threats can impact a product, service, brand or regulatory posture.
To answer this, you need to peel back the many layers of how your business runs.
If you look at your business unit, what are the products and services that the business unit is dependent upon? How much does the organization depend on that business unit for revenue? What is that business unit’s strategy? What is the mission or goal? What is the next level they are trying to get to? And then, what is at stake for the organization if that business unit was severely harmed by a cyber threat? This is your threat surface. Are there areas of the business that should receive more resource investment?
If you peel back another layer, you can examine the tools that support the product(s) and/or service(s) that you manage. Look at the infrastructure that supports these tools. Are there specific IT pain points? How is IT supporting the infrastructure? How is that infrastructure maintained? How much infrastructure is outsourced and is a supply chain at risk? And finally, the crown jewels… information… what you need to protect and what adversaries are after. What information do you have that would be of value to an adversary? What liability and regulatory impact is there if they gain access to that information? How would brand and reputation be impacted if the information is compromised?
If you can’t answer these types of questions, start by using collected intelligence and eliminate the noise. As you think about the different types of intelligence that can be collected, know there are different uses:
• Tactical intelligence – This is where “on-the-network” actions take place and this intel is specifically for defenders to improve detection and response techniques
• Operational intelligence – One level up from tactical, this intel focuses on the immediate operating environment and is more adversary-focused
• Strategic intelligence – For senior management, this intelligence is used to measure cyber risk and to guide proper investment and risk management decisions
All three types of intelligence help drive decisions and ultimately outcomes, but at different levels within the business. Tactical threat intelligence is where you start implementing within cybersecurity programs. Strategic and operational threat intelligence are the next steps, where intel moves from beyond the tech bubble and into the board room as part of a larger organizational risk discussion.