She blinded me with science
“You can’t just go to the shops and buy threat intelligence; it doesn’t come in a box.” This nugget of wisdom comes from Jim Hart, Vice President at AlixPartners LLP in the UK. Whilst upon reading, this idea is a big “no kidding,” yet many in the security industry still confuse threat intelligence feeds and tools with a threat intelligence program. In fact, “threat intelligence feeds” might be a misnomer in and of themselves, but let’s sidestep that issue for now.
True threat intelligence isn’t a fancy graph or an RSS feed or even a piece of technology on your network. All of these things provide data which inform a threat intelligence capability but standalone don’t tell the entire story. “Don’t get me wrong,” says Hart, “threat intelligence feeds or businesses that offer threat intelligence services are all very valuable,” but organizations need to consider more than just the input data. To build or advance an effective threat intelligence capability, Gartner suggests that companies should consider six elements that turn data in intelligence (with the help of a smart threat analyst or team of analysts). Gartner defines threat intelligence as “evidence-based knowledge including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” A little generic and esoteric, so let’s break it down.
It’s poetry in motion
What is evidence-based knowledge? It is, simply put, verifiable or verified information. Sadly, not everything posted on the web is true (shocking, I know), and organizations can’t take every bit of information at face value.
“Context” means you’ve considered the who, what, where, when, and how. Is it a true threat or just an existing vulnerability? How is it likely to impact your organization (if at all)? Does it even apply to your organization?
The mechanism through which a threat is delivered is an important aspect to consider as well. Warding off potential phishing attacks is different from shutting down malware present in the system. Organizations nowadays have highly distributed technology environments; knowing where to focus when keeps security and operations teams appropriately focused instead of chasing every potential security issue that may or may not arise.
Finding indicators of compromise is a challenge. With so much data being spit out of SIEMs or security monitoring tools, it’s often messy for organizations to hone in on specific indicators across many different attack surfaces. Therefore, indicators cannot be found through automated means alone; behavioral analysis and a skilled analyst who understands the environment, assets, and relevancy are required.
Hart says understanding implications of a threat is “rarely done.” He continues, “A business might have looked at its assets from a business continuity perspective, but not enough businesses have actually determined the impact of data loss or general ‘compromise.’” And what is the purpose of maintaining a threat intelligence capability if not to understand how a threat (or threats) will affect the organization?
As deep as any ocean
For any threat intelligence to be valuable, it needs to be actionable. “Actionable” is an over-used term in cybersecurity, but too often “actionable” is meant to imply that someone in the company—IT, security, operations, finance, HR, etc., anyone, really—“can” take action. What “actionable” should mean, though, is that when interesting information has been found, not only “can” someone take action on the potential threat, but that person or team has been identified and a plan will be or is being calculated. To illustrate, any number of individuals can hike Mt. Kilimanjaro. Many, many people, though, don’t have intent, won’t (want to) do the requisite training, and may not want or be able to afford to fly to Tanzania. With threat intelligence, a fully formed plan doesn’t have to pop out of the woodwork the second a threat is identified, but some individual or team must be available to and capable of handling issues as they arise. Hart says this is the hardest part of threat intelligence because it “involves getting the other parts of the organisation to work closely with you and to become responsive. So often in businesses there is still a disconnect between the ‘security’ department and the ‘rest of the business.’”
As sweet as any harmony
Setting up a threat intelligence capability or transforming one from a data gathering exercise into something truly helpful to the organization is no small undertaking, by any means. Most importantly, threat intelligence can’t exist just for the sake of existing; threat intelligence should help form a company’s business strategy. If a threat program isn’t situationally aware and doesn’t help business executives develop the roadmap to better products or services, grow the business, and remain profitable, it’s not useful at all. When the threat program is meshed with business goals, however, it can be a very powerful tool that allows the company to travel down the path to success relatively unimpeded (well, at least from a cybersecurity perspective!).