Throughout the past ten years, Mandiant has seen Cyber Threat Intelligence (CTI) go from a bleeding edge capability within sophisticated cyber security programs to a capability that all organizations – of varying sizes and abilities – realize is necessary for the success of their security operations and business objectives. As such, the marketplace has rapidly expanded and this has led to various consumption models, as well as various interpretations as to the value CTI provides within security and business operations.
Despite this, our global consulting experience has shown us that many organizations are only focusing on a small piece of the intelligence value proposition. Some suggest intelligence only holds value when addressing threat activity directly impacting the organization. While intelligence directly relevant to an organization captures part of the value proposition, it misses the larger value of anticipating future threat activity by understanding what is affecting the broader industry and cross-sector, and applying that knowledge to specific organizational concerns. This is how organizations stay ahead of potential threats.
Organizations can overcome these limitations by adopting a requirements-based approach within their CTI program. At a high level, this involves three components:
- An understanding of the threats faced (Threat Profile).
- Defined intelligence consumers and associated needs (Stakeholder Analysis).
- A set of requirements that focus collection, analysis, and dissemination of intelligence throughout the organization (Intelligence Requirements).
The Threat Profile and Stakeholder Analysis enable the organization to derive the Intelligence Requirements. More details can be found in our “The Role of Cyber Threat Intelligence in Security Operations” blog, which directs to our “Operationalizing Threat Intelligence” webinar, and our “Implementing an Intelligence-led Cyber Security Program” blog.
There is no doubt that security organizations can realize CTI value by simply integrating high fidelity indicators to block malicious traffic, or leveraging intelligence to support monitoring, triage, and response efforts. However, this methodology is only reactive and may create a visibility problem because it fails to consider and apply what is learned from activity affecting other organizations and sectors.
Take, for example, the cyber espionage targeting of a human resources firm to harvest personally identifiable information (PII). Espionage actors may be harvesting this sensitive data to build intelligence dossiers that will support future targeting operations. Human resources firms are not the only firms to hold PII, so the question becomes: “Does my company hold the type of information they are going after?” If so, then this is a threat to be keeping an eye out for, even if the organization is not presently being targeted, nor any other company across the sector.
This understanding of why and what the actors are going after can help to anticipate future threat activity. A reactive, company-focused approach often results in ad-hoc and inefficient intelligence consumption. This makes it difficult to understand an event’s broader business implications, to take action on specific targeted threats, and to properly communicate those threats and the potential impact to the broader organization.
A requirements-based approach shifts programs to a more proactive, actor-focused posture, and enables several key functions:
- Planning: What threats does your organization need to be concerned with and why? A good intelligence capability enables the linking of threat context to specific business concerns.
- Identification: In addition to technical integration of indicators to aid in identification, blocking, and analysis, a requirements-based approach enables proactive hunting for relevant threat activity. Without these foundational components, it is not possible to focus hunt strategies. This results in wasted effort on activity that does not present a significant risk within the environment.
- Prioritization and triage: A well-defined threat profile linked to critical business concerns allows the security organization to set guidance for prioritization. This makes identifying events requiring attention and justifying triage efforts far more efficient and predictable. Instead of scrambling to understand what threat a particular alert may represent and the potential impact, guidance is set that enables analysts to determine priority in seconds.
- Communication: Good threat intelligence can be leveraged to communicate threat activity between technical and non-technical teams, including what should be communicated and why, and who it will be communicated to and how.
This does not necessarily preclude the company focus, but makes processes more efficient when the time comes to focus on the company.
When it comes to intelligence adoption, there is often a perceived value versus actual value dilemma. Perceived intelligence value creates artificial limits to the real value intelligence can provide. Successfully overcoming this requires enterprise teams to demonstrate intelligence value by directly linking into the concerns of individual stakeholders. This is the only way to demonstrate a return on investment. Achieving this is a function of how intelligence is consumed, applied, and disseminated to stakeholders. If not done properly, the value is lost and perception becomes reality. We have seen this occur over the last ten years, and believe the lack of a structured approach is a key to why intelligence adoption ultimately fails.
CTI is not a plug and play product, and it is not the one solution that will solve all problems. Through increased threat landscape visibility, it makes people, processes and technology more efficient at carrying out the mission of managing cyber risk. However, to begin driving value, it is instrumental to have a strategic foundation in place that enables consumption and application in context that individual stakeholders throughout the organization will understand.
Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence capabilities.