As a former CISO and as head of an analyst team at a threat intelligence vendor, I’ve written a lot about cyber threat intelligence – what it is/should be, the different types of threat intel (strategic, operational, tactical), raw intelligence versus finished intel, how it can be used, how threat intel fits into your overall cybersecurity program, and so on.
When it comes to intel, there is no “one-size-fits-all” approach that is effective. While cyber threat intelligence has been defined by many practitioners and analysts, there are so many variables involved that threat intelligence really means something different to each organization in terms of their setup, their goals and their expertise.
To try to put this into more real life context, I thought it would be helpful to simplify all of this down to one question: “what would you ask your threat intelligence analyst?” This can obviously go in a lot of different directions, but that’s the point. This is a question you should think about whether you have an existing threat intel team/operation or are exploring how to establish one.
I’m of the belief that effective threat intelligence requires several key components, including access to threat data, automated processing to quickly filter the data to what is specific and useful to an organization, and human intel experts who can analyze and make meaningful recommendations to an organization on how to mitigate identified risks, and how to best prepare for impending cyber threats.
When it comes to threat intel, many vendors and organizations focus on how much data they have. Now d on’t get me wrong, without data, you can’t create intel, but data alone is just that – and it does not lead you to smart decisions by itself. Whether you have an in-house team of analysts or outsource this function, your threat intel operation should be capable of a wide range of research, analysis and risk mitigation actions.
I’m a big believer of things that are practical. If your threat intelligence isn’t practical, it’s not really useful. How does threat intelligence solve a problem? Threat intelligence needs to do more than just inform… here are a few examples of practical questions you can ask your threat analyst team:
• Do we have sensitive information on the dark web? If so, what is the information and can you confirm that it is a real risk, i.e. the info stolen/leaked is what it is advertised to be? (Confirmation can really only be done by acquiring at least a sample of that data). And what courses of action should we implement to limit our risk here?
• We’re seeing a spam or phishing campaign that is hitting our company… can you help us to enforce a takedown effort with the appropriate hosting provider?
• We are concerned about a particular IP and a potentially malicious web instance that we’ve seen several times… can you tell us more about these and give us a threat assessment that includes TTPs along with the potential impact to our company, and also provide us with specific guidance on how to address that threat before it becomes a serious problem for the organization? Do we have the right capabilities in place against current threat scenarios? If not, where/how should we pivot?
• We need to explain to our executive team how we are positioned from a cyber risk perspective… Can you help me determine if we are well positioned for current cyber risks and provide findings in an executive-level format that is easy to understand?
• We’d like to understand the threat landscape targeting our industry… what does that look like, how has it evolved and what actions should we be taking? Who in our industry is feeling the pain? What have been the outcomes?
The above examples and many others all tie into what I wrote about in my last few articles – threat intelligence playbooks, which can provide you with essentially a script to run based on a cybersecurity event. They include up-to-date research and analysis and tie into an organization’s ecosystem and processes to ensure the fast deployment of effective countermeasures.
Your threat analyst team should also be updating these playbooks as necessary because as we all know, cyber threats and cybersecurity are dynamic. So whether you have an existing threat intelligence operation or are looking to establish one, keep in mind the importance of having not only breadth and depth of threat data, but how quickly that data can be turned into intel and the threat intel analyst skillset that you have at your disposal.
As I have stated in the past, at the end of the day, whatever your cyber threat intelligence plan and process is, it should drive faster and smarter decisions that minimize your risk exposure. If it’s not aiding this goal, then it’s time to stop and think through what needs to change in order for the intel to make your business safer. A good first step is to simply start asking the right questions.