The Role of Cyber Threat Intelligence in Security Operations

Cyber threat intelligence (CTI) and its place within security operations – as well as the broader business – is growing. A recent SANS study found that 93 percent of respondents are at least partially aware of the benefits of cyber threat intelligence. However, only 41 percent have begun to integrate CTI into their security programs and only 27 percent have full integration. While these numbers highlight a trend toward adoption of intelligence-led security programs as a widely accepted best practice, for many companies there is still a long way to go.

Good CTI enables organizations to anticipate, respond to and remediate threats. There is plenty of content out there on what makes for good intelligence; however, organizations cannot rely solely on the content received to drive value across operations. There needs to be a focus on positioning teams for success. Rich contextual intelligence is something that requires some preparation and a base level of capability in order to maximize the value received. Ultimately, it’s not a plug and play type of product.

Organizations should be able to answer three questions to begin establishing the foundation of a cyber threat intelligence capability:

1.       What is the organizational mission?

A clear mission statement will define the role the cyber threat intelligence team plays, serves to aid in clearly communicating the team’s purpose, provides justification for supporting and resourcing the team appropriately, and sets expectations of what to expect from the team.  

2.       Who is the cyber threat intelligence going to serve?

The key stakeholders and their specific role within the business, business concerns, and cyber threat concerns should be understood. This serves as a driver for data, and the observations that are collected, analysis prioritization and resulting intelligence communications should be provided to the stakeholder. From a content perspective, understanding how the information will be presented to the stakeholder is just as important. A CISO will certainly be interested in different content than a SOC analyst, though the work of the latter has an impact on content delivered to the former.

3.       What is the organization’s threat profile?

It is critical to have a baseline understanding of adversaries that may target the organization, their capabilities and their supporting operations. Understanding motives and intent helps to clarify risk and assists in a number of key conversations, such as anticipating threat activity and strategically planning to protect, identify and respond to relevant activity.

Answers to these questions will contribute to forming additional basic components of the program, including definition of intelligence requirements, threat-led communications and establishing intelligence sources. The ability to enhance security operations and deliver value across the organization is predicated upon this basis of understanding. Without these core components, an intelligence program will not function properly regardless of the expertise, process sophistication and advanced technology put in place.

A Lifecycle

After establishing a solid foundation, organizations must focus on program maintenance and upkeep – ensuring that the program put in place is continuously assessed, enhanced and, where necessary, refreshed. Intelligence programs are not “set it and forget it” operations. Consider two factors:

1. Your threat landscape changes…

The threat environment that your organization is exposed to is subject to shifting motivations, intents, capabilities and operations. All of this can impact your risk profile as an organization, which could impact tactical, operational and strategic concerns. Depending on how dramatic the shift, it could even impact the mission of your intelligence function.

2. Your organization changes…

Your organization is in a state of flux as well, with turnover in people and technology. Skillsets and technology can become obsolete. Knowledge of the threat and the ability of processes to efficiently stand up during crisis situations can grow stale.

As a result, we’ve identified a high-level cycle that organizations can follow to help maintain and advance cyber threat intelligence capability.

Ø  Assess

Periodically updating your threat profile, as well as assessing your intelligence capabilities, will keep you informed of the changes impacting your program and on what level. For example, a shift in threat actor targeting methodology and tools may result in prioritizing responses to an older malware family if it’s being used in campaigns affecting your sector, or your organization specifically.

Ø  Expose and Train

Exposing organizational resources to relevant attacker tactics, techniques and procedures will help them stay knowledgeable of threats that relate to their specific roles. More advanced exercises can test processes and cross team coordination – especially the ability of threat intelligence personnel to effectively serve an investigations or response team – which in turn helps to identify gaps.

Ø  Integrate

The results of the two aforementioned activities should be considered in evaluating the current strategic roadmap for the overall intelligence program, making modifications where necessary. This roadmap guides tactical efforts to build and update components within the program, including process, technology and related resources.

This cycle can be applied in an order and at a frequency that makes sense for your organization and its current state.

For a more detailed discussion that further explores the benefits of operationalizing intelligence and what goes into building an intelligence capability to fit your specific organizational needs, registration is available here for our Operationalizing Threat Intelligence webinar on Nov. 17.