No threat actor ever avoided attacking your system because you marked a control as compliant. So why do so many defenders spend so little time understanding the threat?
It's not required
If you are required to perform risk management, then threat analysis is inherent. Many people we talk to in the cybersecurity field place a great deal of emphasis on compliance, and that is fine. They categorize their systems, define control objectives, select and tailor controls, assess their level of compliance. However, as we know, risk is composed of threat (the active component), vulnerability (the passive component), the impact or consequence to the organization, and hopefully a countermeasure or two.
If we are not assessing the likely threat actors most likely to attack us, their likely intentions and capabilities, and their likely attack patterns, then we are only seeing part of the risk picture. The nature of cyber risk is adversarial, whether we are talking about a radical hacktivist who may use us to make a point, or a hurricane that may swamp our data center. If we do not consider the threat actor, when the risk is realized, our lack of visibility will prove that we were never compliant in the first place.
It’s Too Confusing
Having a boss who stays abreast of cyber current events can be almost as stressful as having a boss who is apathetic. Many leaders complain about receiving multiple forwarded news stories about attacks, each with the message, “So what are we doing about this?” The deluge of threat data can overwhelm our decision making causing analysis paralysis.
The answer is to put each piece of open or classified intelligence into context, by asking:
- What are the environmental factors we need to consider, technologically, legally, physically, or in a business context?
- Is this relevant to us? That is, are we the kind of organization this threat actor would target (directly or as collateral damage), and do we even have the type of assets that were targeted? If not, can the attack pattern be easily adapted to target us?
- Is this part of a trend, or is it a one-off? What about this attack is the same as or different from other attacks we have seen? What is the likelihood of seeing it again?
It’s Too Time Consuming
Including threat intelligence analysis as part of a repeatable mature process produces greater “bang for the buck.” Look for a process like the Software Engineering Institute’s Intelligence Preparation for Operational Resilience, which can enable your organization to integrate threat intelligence seamlessly into your risk-management process. One way I found to do this is to designate one or more people competent in risk management to spend a fixed percentage of their time specifically reviewing threat intelligence. Writing this into their position description can help them to see threat intelligence not as a distraction, but as an integral part of how the organization does business. Building a mutual relationship of trust with reliable and trusted intelligence sources will help ensure you spend more time focusing on the threats that are relevant to your organization. As the process matures, you will find you spend less time chasing the news story du jour, and more time making risk-based decisions with greater confidence.
Threat intelligence analysis is not a merely a function that the big name cybersecurity firms and nation-state intelligence agencies perform, but rather a function of a capable risk-management program. Organizations of all stripes benefit by developing this capability, even within the limited resource constraints that are so prevalent today.
Doug Gray is the Senior Cyber Architect for Lunarline, Inc., a Service Disabled Veteran Owned Small Business, FedRAMP-accredited 3PAO, and Software Engineering Institute (SEI), Carnegie Mellon partner. Prior to coming to Lunarline, Doug was a member of the Cyber Risk Management Team at the SEI. An expert in risk and resilience management, Doug is a former Army senior officer with 24 years of organizational leadership experience, and 13 years in IT and cybersecurity leadership. At SEI, Doug developed the Intelligence Preparation for Operational Resilience (IPOR) framework to enable cybersecurity leaders to develop situational awareness. In 2012, Doug led the U.S. Army Command and Control Support Agency to earn recognition as runner-up for the National Security Agency’s prestigious Rowlett Award, which recognizes outstanding organizational excellence in the field of information systems security.