Threat intelligence is critical for compliance personnel to justify budgets for governance, risk and compliance (GRC)
It is estimated that compliance drives 50% of the spend in the cybersecurity industry. Recently, some of our customer, defender-side colleagues indicated that threat intelligence was not typically considered within compliance frameworks. The main reason for this was noisy data feeds, a lack of identifiable metrics, and the lack of actionable intelligence related to the customer’s pain points.
Using the NIST Framework, organizations assess their current security posture, agree to organizational goals, understand their gaps and develop plans to optimize their security posture. We used this framework to show how threat intelligence is critical for compliance personnel to justify budgets for governance, risk and compliance (GRC) and how it is also important for CISOs and security practitioners responsible for incident response, security operations, and third-party risk. This column is the first in a two part series and will focus on the NIST frameworks for “identify”.
IDENTIFY
Asset Management
1) ID.AM-4: External information systems are cataloged. Service providers continuously monitor external digital footprints, identifying new assets and new services. Open RDP ports, shadow IT devices operating outside of firewall policy and unauthorized file shares communicating with your environment are three of the most common use cases for monitoring the perimeter, or external attack surface management.
Risk Assessment
2) ID.RA-1: Asset vulnerabilities are identified and documented. While this sub-category is generally intended for internal assets being monitored for misconfiguration, external assets also need to be continuously monitored and assessed to identify vulnerabilities and determine the probability of an actor exploiting those vulnerabilities.
3) ID.RA-2: Cyber threat intelligence is received from information-sharing forums and sources. Threat intelligence and managed service providers can use access to the dark web and open-source forums, including social media, to collect information about potential threats. This is typically done by crawling the web to identify stolen credentials on the darkweb, find social media impersonations, assess physical threats to personnel or facilities, identify negative brand and reputation sentiment and, if necessary, engage directly with threat actors.
4) ID.RA-3: Threats, both internal and external, are identified and documented. External threats could range from ransomware groups targeting an organization to cyber criminals selling access to an organization’s data. Intelligence providers can assist with potential insider threats by monitoring externally for malicious activity (e.g. employees selling access or data on criminal forums) and unauthorized file sharing.
5) ID.RA-4: Potential business impacts and likelihoods are identified. Intelligence can identify the likelihood of external threat activity and provide context. For example, context can be provided around specific ransomware families and determine if detection tools can identify their payloads short of encrypting files. This context can be considered in the overall business impact analysis.
6) ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. Threats, vulnerabilities, and likelihood of threats can be included in threat landscape assessments to help determine the overall risk to businesses. For example, a threat landscape should cover global geopolitical activity focused on an enterprise’s business locations. Of particular interest is activity involving cyber, physical, insider, crypto/digital and supply chain threats related to critical vendors. The intelligence goal is to identify current and escalating threats so leaders can adapt as threats change.
Supply Chain Management
7) ID.SC-2: Suppliers and third-party partners are identified, prioritized, and assessed using a cyber supply chain risk assessment process. Threat intelligence providers monitor the internet using attack surface and reputation monitoring tools for critical suppliers. After ranking suppliers high, medium and low, an enterprise should conduct threat intelligence monitoring and RFI responses for critical suppliers where data and services reside outside of an enterprise’s perimeter (ex. MSPs) and could present a higher probability of compromise.
8) ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluation to confirm they are meeting their contractual obligations. Ideally, threat intelligence providers and managed service providers would continuously monitor the internet to ensure that audits, test results and questionnaires are valid. Vendor questionnaires should be considered a starting point in third party risk assessment for legal and compliance purposes. However, these questionnaires should be validated and contextualized with threat intelligence, particularly for high risk vendors.
As discussed, enhancing cybersecurity and compliance programs with actionable intelligence that complements and adds insight can easily justify the investment and growth of threat intelligence programs. It is a valuable approach that should be employed by more enterprise organizations.
The next article in this series will focus on how to mold threat intelligence to conform with the NIST cybersecurity framework sub-categories “Protect”, “Detect”, and “Respond”.