In my previous SecurityWeek article, we looked at what type of cyber threat intelligence analyst makes sense for your business. Analyst expertise can span a wide range of business, technical and security-related areas and the outputs that analysts provide can vary greatly based on business need.
Aaron Bay, chief analyst at SurfWatch Labs, summed it up: “Being a threat analyst often requires being a chameleon or wearing many hats. You need to be able to understand the technical side of security, navigate among the various hacker and cybercrime forums on the dark web, understand business risk, and then distill all of that information into valuable intelligence that can be easily understood by business executives.”
Analysts vs. Defenders
One key distinction needs to be made when talking about threat intelligence analysts. They should not be confused with defenders working in the Security Operations Center (SOC). Personnel within the SOC are consumers of tactical intelligence, using that intel to improve their primary goal of network defense. SOC defenders are not intelligence analysts. They are not focused on the intelligence lifecycle including collection, analysis and delivery.
Intelligence analysts serve multiple purposes and different constituents. One analyst or team of analysts must focus on operations, reporting up to the CISO, translating tactical up to more operational level. Another analyst or team must focus on strategy, correlating cyber risks with the impact to business. The delivery for this group of analysts is to senior leaders, the CEO, and the board.
Depending on the type of analysis you want and where your analysts are focused, the first thing you really need to do when it comes to your intelligence operation is to determine your priorities around intelligence.
Establishing Your Threat Intelligence Strategy
I am a practical guy. I like to take best practices, pluck out the good stuff, leave the fluff and theory, and place more effort into making things happen. What is rarely, if ever, touched on is discussion around an organization’s overall threat intelligence strategy. For short let’s just call it “The Plan”.
Whenever I am working with a new customer it is one of the first areas I target. I ask them who the intelligence is for/who will use it, if they have a collection plan, and if they have collection gaps within that plan that they are looking at us to fill… i.e. what finished intelligence product are you looking to produce? Unfortunately, a majority of the time there is no plan, no rhyme or reason – they just want more “insight”.
“The Plan” should have two main components, a collection plan and a management plan.
1. The Collection Plan – This is where “The What” is defined, based on the needs of the decision makers. As mentioned in the past, there are typically three categories of CTI – Tactical, Operational, and Strategic. Each CTI category would have different criteria around collection needs as they have different decision makers consuming the finished intelligence. Items in the Collection Plan should include:
• Requirements:
– Who are the decision makers (anyone who decides a course of action for their area of responsibility)?
– Have decision makers’ intent been defined?
– What concerns do they have and where is there a lack of insight?
• Priorities/Inventory of Needs:
– Which requirements carry the most weight?
– Which higher-level requirements are dependent on lower level data collection?
• Sources:
– What are your threat intelligence data sources? Internal? External? OSINT? Dark Web?
– What is the quality of the data? How accurate/reliable is it?
– How relevant is the threat intel data to the decision makers?
2. The Management Plan – Threat intelligence is a continuous lifecycle that requires people, process and technology working together in order for it to run. Intelligence is not just a feed or a tool on its own. Intelligence also is not a project. It is a capability that needs to be run like a program and requires resource management just like any other capability. The Management Plan focuses on “The How” and should consist of:
• Assets/Resources
– People – Are they “Defenders” or “Analysts”?
– Tools – Raw data vs. evaluated intelligence, collaboration space, knowledge bases, etc.
– Requests/Tasks
– The process for which decision makers task or make intelligence requests to a functional intelligence team
– Deterrents/Obstacles:
– Is there a capability gap?
– Do you lack visibility into a certain area?
– Feedback Loop:
• Are requirements being satisfied?
• Are finished intelligence products timely, accurate and relevant?
• Are finished intelligence products critical to the decision making efforts?
The bottom line here is this: “The Plan” should help you define why you are doing what you are doing from an intelligence perspective. You should not be consuming sources of information unless they are supporting a collection requirement and you should not be spending effort on data collection unless there is a requirement from a decision maker.
To sum it all up, threat intelligence is all about reducing uncertainty – moving unknown unknowns up the chain to known knowns. This covers a wide span and as such the intelligence function works at different levels, with different goals and continues to evolve.