Security Experts:

Use Case-Centric Threat Intelligence Requires a Considered Approach

One of the most promising developments I’ve seen in threat intelligence over the last year or so is a greater emphasis on use cases. And it’s easy to see why: A use case-centric threat intelligence strategy, when executed properly, can yield clear and abundant benefits — from better alignment with business objectives, to more efficient resource allocation, to stronger security and reduced risk.

Less promising, however, is what’s often left out of this conservation. Despite ample focus on the fact that use cases are beneficial, there is less discussion of where, how, and which use cases need to be integrated and executed within a threat intelligence operation in order to yield the benefits we keep touting. 

And when we don’t pay sufficient attention to these details, it becomes easy to view use cases as a standardized “checkbox” item rather than a strategy that, when tailored appropriately, can help us satisfy the objective(s) of an intelligence operation more efficiently and effectively.

For example, let’s consider a fairly common use case: brand monitoring, which typically entails monitoring various online venues for negative  or otherwise notable information related to a company’s brand. This use case is traditionally relegated to brand protection teams, but more organizations are embracing a converged approach that integrates complementary activities and objectives of brand monitoring across brand protection and threat intelligence teams. 

Now suppose we have two different threat intelligence practitioners, who we’ll call Jane and John, from two different Fortune 500 banks. Each is involved with brand monitoring , but their approaches to this use case are quite different.

Jane has recently been working alongside the brand protection team to help satisfy the intelligence requirements (IRs) and corresponding collection requirements (CRs) of a new intelligence operation focused on addressing spear phishing attacks targeting the bank’s employees. The majority of phishing emails reported in the last 30 days have sought to distribute banking malware via typosquatted domains designed to mimic the legitimate domain for the bank’s employee login portal. Some of this operation’s IRs and CRs include:

IR 1: What are the typosquatted domains being used in the attacks?

- CR 1.1: Use a domain name permutation engine or similar tool to identify potentially typosquatted domains, as well as their corresponding IP addresses, that could be or have been used in these attacks. 

- CR 1.2: Monitor illicit online communities frequented by threat actors interested in phishing, banking malware, and related cybercrimes for mentions of these potentially typosquatted domains or their IP addresses.

IR 2: How did the threat actors involved in these attacks obtain information about our employees, and what information did they obtain?

- CR 2.1: Monitor illicit online communities frequented by threat actors interested in phishing, banking malware, and related cybercrimes for mentions pertaining to the employees known to have been previously targeted by these attacks.

- C2.2: Evaluate network logs for indicators of a potential breach or other compromise that could have exposed employee information.

IR 3: Which types of threat actors are involved in these attacks, and what are their motivations?

- CR 3.1 Monitor illicit online communities frequented by threat actors interested in phishing, banking malware, and related cybercrimes for mentions related to the company, brand, products, or employees.

- CR 3.2 Monitor illicit online communities frequented by threat actors interested in phishing, banking malware, and related cybercrimes for mentions of the banking malware variant(s) involved in these attacks, as well as phishing attacks or tradecraft targeting our industry.

- CR 3.3 Compare signatures from the reported phishing emails to known indicators of compromise (IOCs).

These IRs and corresponding CRs include several details that are crucial to consider with respect to brand monitoring use. First, notice that while each IR has at least one CR that Jane’s brand monitoring efforts will likely be able to satisfy, certain CRs will require inputs from other types of use cases, such as network log analysis and threat hunting. 

Second, the CRs that align with brand monitoring are highly specific and give Jane clear insight into the types of sources she needs to monitor and what she needs to monitor for. And third, since these IRs, CRs, and Jane’s expected contributions are clearly outlined, Jane understands the overall objective of her efforts, how they will support this operation, and how this operation will support her company.

Meanwhile, John’s approach to brand monitoring is less structured because it isn’t dictated by his organization’s IRs, CRs, or any intelligence operation whatsoever. He has been tasked with monitoring any and all sources for any and all disparaging information pertaining to his company’s brand.

John relies entirely on automated alerts he set up 18 months ago (and has not since updated) for a lengthy list of keywords, and as a result, he is regularly inundated with false positives and irrelevant alerts. He assumes that because none of his alerts appear to indicate anything malicious, his company and brand are in the clear and have a very low risk, if any, of being targeted or compromised by threat actors or other cyber activity.

The key difference between these two situations is that Jane employs brand monitoring as a means to help satisfy certain IRs and CRs within a specific intelligence operation, whereas John employs brand monitoring for the sake of employing brand monitoring. Jane’s clear objectives enable her to tailor her approach accordingly and understand exactly what she needs to provide to support her company’s intelligence operation. But since John lacks clear objectives, he’s not entirely sure how his efforts are supporting the company, how well he’s performing, and whether his approach requires any adjustments. As a result, Jane delivers tangible valuable to her company, whereas John does not.

This example highlights why it’s so important to be considerate and thorough in how we apply — and discuss — use cases. As I mentioned, a use case-centric approach to threat intelligence can yield substantial benefits and is absolutely worth pursuing. It just needs to be pursued properly. Above all else, it’s crucial to remember that use cases are not a checkbox item, are not one-size-fits-all, and should always be viewed as the means through which we achieve an objective — not as an objective in and of themselves

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.