Having a solid cyber threat intelligence program in place will be more relevant than ever to organizations in 2021. More businesses are moving online, cybercrime like ransomware continues its meteoric rise, and state-backed advanced persistent threat groups are targeting the weakest links in the hardware and software supply chains to compromise targets downstream.
Such programs are becoming more and more prevalent in both the private and public sectors. In the 2020 version of the annual SANS Cyber Threat Intelligence Survey, which includes responses from hundreds of security professionals drawn from government, cybersecurity and tech companies and the banking and financial industries, about half of respondents reported having a dedicated team of employees focused on CTI. Nearly 61% said they relied on a mix of in-house personnel and third-party providers to fulfill their threat intelligence needs, up from 54% a year ago, while a small slice, about 8%, said a single employee was assigned to the task.
However, despite increased perceptions about the value of cyber threat intelligence, many businesses and industries with less mature security programs still struggle to define what it actually means to them – which capabilities to incorporate, and how to do the ground level planning necessary to support the telemetry and technological tools they put in place.
Alyssa Miller, business information security officer at S&P Global Ratings, told SC Media that organizations who build out their programs from scratch tend to first stumble in two areas that underpin most threat intelligence programs: asset discovery and log management. You can’t monitor your internal telemetry if you don’t know what devices and systems are hooked up to your network. Nor can you meaningfully use that data without some way to monitor and process the avalanche of log data that gets spit out on a daily basis, usually through some form of automation.
“The first day you spin up a network, you have data,” said Miller. “Any smart switch, any firewall, anything you spin up is immediately a source of data for you, and if you don’t have a way to ingest that data and analyze it in some automated fashion…there’s no way that I as a person can go through all the logs [of one asset] every day by myself.”
Todd Fitzgerald, a security expert with 20 years of experience as a chief information security officer and author of the book CISO Compass, was equally direct about the need for automation capabilities in threat intelligence. To wit: most organizations only have the capacity to investigate about 1% of security alerts they receive.
“I’ve talked with some firms who say for any process that’s manual, that takes several days to accomplish, you really need to ask ‘how do we automate this, how do we get this out of our analyst’s hands?’” said Fitzgerald, who now serves as vice president of strategy and chairman of the executive committee at Cybersecurity Collaborative, a network community of CISOs and sister brand of SC Media.
Starting from scratch
The increasing need for cyber threat intelligence is being juiced by a number of recent trends. For one, the COVID-19 pandemic has pushed many brick and mortar businesses with immature IT and security processes online and into the cloud, where they sometimes make mistakes that can leave them victim to criminal hacking groups. Miller said the retail and manufacturing sectors, school systems and organizations in critical infrastructure are all examples of entities that typically struggle to set up effective threat intelligence because IT is not considered core to their business model or mission, though those perceptions are rapidly changing.
“These are markets where they don’t tend to look at [security] as core to their business, and so instead it’s seen as a cost center, something they have to have, but not something that really builds their business,” she said.
Meanwhile Fitzgerald believes the 2017 WannaCry and NotPetya attacks, as well as the rise of the lucrative ransomware industry, has also made cyber threat intelligence more relevant to a wider swath of companies and industries.
“It used to be the question that would always come up with CISOs: ‘who would want my information.’ Now the answer to that is really, ‘everybody,’” he said. “Because it’s not so much that [ransomware groups] want your information, it’s the fact that you want your information and you want your information not to be disclosed to the world, and they know that’s worth something.”
Part of the reason some businesses can struggle to use or incorporate cyber threat intelligence is because the very term itself is somewhat amorphous. While there are certain foundational touchstones, like monitoring one’s own internal telemetry for anomalous or malicious behavior, often the phrase is used as a catch all for a collection of disparate tools, technical processes and analyses that can be used to track and respond to security threats facing an organization.
“Although threat intelligence is being increasingly adopted, there is little consensus on what it actually is, or how to use it,” wrote Wiem Tounsi and Helmi Rais of Alliacom France in a 2017 report and survey on the topic. “Without any real understanding of this need, organizations risk investing large amounts of time and money without solving existing security problems.”
Much of the business world is still grappling with how foundational cybersecurity in general has become to the health and integrity of their operations. Within that larger reality, cyber threat intelligence “is one of the newest and least understood” domains, writes Brian Kime, a senior analyst at the technology research firm Forrester, in a report released in January.
This can be traced back to a variety of root causes, such as a lack of planning and engagement with other stakeholders in the organization to flesh out intelligence requirements, a general disconnect between intelligence producers and c-suite leaders, and an overemphasis on buying and implementing technology without the right people and processes in place to take advantage of them.
In an interview, Kime said good threat intelligence can often be structured around meeting a specific business goal, such as protecting an organization’s brand. From there, it becomes easier to identify which functions and capabilities can best further those larger goals. Often, this approach ends up translating to activities designed to prevent certain scenarios – like a breach of customer data that ends up for sale on the dark web or unknowingly exposing trade secrets to the open internet – that can degrade that brand in the eyes of customers or stakeholders.
Threat intelligence can also serve a number of different tactical, operational and strategic objectives, from day-to-day network protection and incident response to setting the table for larger decisions around security budgets and business operations. Threat modeling, knowing what your organization values and where it fits in the threat actor food chain, is an important foundational step that can inform each of those objectives.
“If you’re a vendor in the defense industrial base, you will likely have some foreign government dorking around in your environment looking for trade secrets, intellectual property and controlled unclassified information,” said Kime. “But if you’re a retailer, if you’re a restaurant group, you’re going to have criminals looking for credentials, payment card information and stuff like that. The threat landscape is what matters here.”
The "why" often matters more than the "how"
Michael Daniel, president and CEO of the Cyber Threat Alliance, told SC Media that many businesses tend to focus on the how of threat intelligence – which new tools, systems or vendors they should buy – without first focusing on the more foundational questions of what, why and who. What aspects of your business, data and IT infrastructure need to be protected? Why are they important to your operations? Who might want to steal from you or disrupt those operations?
“It’s very easy to get distracted by the technology when in fact you actually need to do the hard work of figuring out what information you need to make your decisions,” said Daniel.
For a business to determine which slices they might need requires documentation, gathering intelligence requirements and engaging with various stakeholders throughout the organization. The SANS 2020 survey found some progress along this front, with 43% of respondents reporting that they have taken steps to formally document their intelligence requirements, up from just 30% who said the same a year ago.
Scoping out those requirements in human terms is important. The reality is that while some cybersecurity threats and defensive capabilities are universal, the vast majority of organizations will derive value from just a small fraction of threat intelligence activities.
“My conclusion is that most companies will probably only need a fairly narrow slice of threat intelligence most of the time,” said Daniel. “A smaller subset will have a larger aperture and then your really high-end companies will consume much more, but you’re always going to have that sort of pyramid shape” of threat intelligence needs.
Often the best insights about how to effectively use threat intelligence and tools can be found in house by canvassing different branches of the organization. In addition to the CISO, incident response manager and security operations center, a successful program will also incorporate feedback from not only the C-Suite, but other business units that aren’t focused directly on security, like HR, marketing and sales.
Kime said this approach not only builds a sense of empathy within security leaders that is critical to devising effective threat intelligence strategies, it also reframes the discussion away from dense jargon and towards language and ideas that are more accessible and easily understood by non-technical employees and business units that make up the vast majority of the workforce. So instead of talking about indicators of compromise and intelligence requirements, the focus is on “what do you do for the business, what are your needs? What technology do you use and If I breached this system, what would the effect of that be?” said Kime.
Miller said that while communication is always a two-way street, its largely up to the CISO to set a culture where understanding the larger business motivations is baked into threat operations.
"Certainly there is a level of responsibility at the overall C-Suite to provide some of that business context...but it's really incumbent on the CISO and IT security team to support what they're saying, show where we expect emergency threats to come from, say 'here are the things they're targeting' and why we believe they're targeting that information" she said.