Through Mandiant’s numerous global consulting engagements, we have had the opportunity to see countless cyber security programs of all shapes and sizes. One consistent takeaway from these engagements is the need and desire to develop or enhance integration of cyber threat intelligence (CTI) – not just into cyber security programs, but also into an organization’s larger operational risk practices.
CTI is more than just raw data and information being collected from various internal or external sources. As Gartner puts it, “Threat Intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
A key point from this definition is that CTI provides the ability to “inform decisions” across the entire organization. It’s important to understand that CTI offers a mechanism to proactively reduce risk by fully understanding an adversary and its capabilities.
But what exactly does it mean to have an intelligence-led cyber security program? An intelligence-led approach will enable organizations to:
- Anticipate, identify and prioritize active and nascent threats to reduce exposure and adapt defenses.
- Inform organizational risk functions by determining adversary motivation, capability and intent.
- Contextualize and communicate cyber threats across business operations, providing decision advantage to organizational leadership as well as the “conventional” operational cyber security stakeholders.
- Align security capabilities and resources appropriately based on the most relevant and impactful threats that are targeting the organization.
Let’s put these points into perspective by asking the following questions:
A. How often has the organization responded to an incident with limited understanding of threat actor motivations and their tactics, techniques and procedures (TTPs)?
B. Can the organization connect an incident to specific threat actors and campaigns?
C. Can real versus perceived threats be validated and prioritized based on the level of risk they pose?
D. Can security issues be translated to business language that executives can understand and act on?
E. Are CTI products used to help achieve acceptable cyber hygiene levels?
F. Are architecture changes prompted based on operational threat data correlation?
G. Does an intelligence knowledge base exist with custom analysis to help incident responders quickly answer who/what/why/when/how questions about threats?
H. How many reports have been written that supported a business decision?
If an organization has difficulty answering these questions on a consistent and repeatable basis, it may indicate an intelligence gap or an underutilized function. Reliable, actionable and context-rich threat intelligence can better inform key decision makers in the organization, including security operations center analysts, incident responders and executive leaders.
For an organization to build or realize this intelligence-led capability, there are some key program elements to consider:
1. Organizational Threat Profile: A periodically updated baseline threat profile is an effective way to maintain consistent situational awareness on threats, vulnerabilities and risks facing the organization, while also capturing essential environmental, business and operational information. Understanding the organization’s threat profile will help ensure focused security operations, cyber threat intelligence capabilities and other risk management functions.
2. Stakeholder Analysis: Understanding how CTI products and services can or will be consumed in order to provide relevant and actionable intelligence is pivotal. To meet changing business demands, this process should be reviewed regularly and include a feedback mechanism to ensure stakeholder needs are being addressed. Consider the process shown in Figure 1.
Figure 1: A Cyclical Stakeholder Analysis Sub-Process
3. Intelligence Requirements: Intelligence requirements should trace to a specific business or operational need, and must be explicit to ensure analysts and stakeholders understand what threat, impact, or issue it is trying to address. Understanding the organization’s threat profile and the threats or adversaries that may directly or indirectly target the business is key to developing effective intelligence requirements.
Effective threat intelligence capabilities can transform existing security technologies, expertise and processes to reduce exposure and risk to critical business functions and services. By implementing the people, processes and technologies required for an intelligence-led cyber security program, organizations are able to consume, interpret and apply CTI to protect information, systems and the overall business from the threats that matter most.
Visit our Cyber Threat Intelligence Services homepage for more information on how to improve threat intelligence capabilities.