The 2019 Major League Baseball playoffs are fast approaching and during the regular season we saw even more use of a defensive strategy that began back in the 1920s: teams shifting their typical defensive positions to better defend against specific hitters. Known as "the shift", defenses utilize it by analyzing hitter tendencies, which then allows them to anticipate and align their defense to the area on the field where the ball will most likely be hit. Figure 1 shows the typical baseball defense and an example of a team playing the shift.
Figure 1: A typical baseball defense is shown on the left, and a defense in the shift is shown on the right
What does the shift have to do with cyber threat intelligence (CTI)? In the metaphor, CTI helps organizations understand where the batter is likely to hit the ball. CTI's value proposition is determined by the decisions it helps support, which can allow organizations to anticipate threats on or over the horizon. Whether within the c-suite or the security operations center, understanding why an organization may come in the crosshairs of a certain threat, and how, gives cyber defense teams the ability to understand their readiness and ability to defend.
By studying adversary behavior, we can begin to align our larger cyber security strategy to the relevant threats we may face, while informing our overall cyber risk posture. Put another way, we gain a deeper understanding of the organization’s threat landscape by understanding adversary motivation, capability, and intent. But how do you determine who your adversaries may be? It boils down to understanding what it is that the organization is trying to protect.
Step 1: Are you a target? What do you have that an adversary may want? Is it something that can be monetized? Is it something to advance their objectives?
Step 2: How would an adversary target you to achieve their objective? What vulnerabilities will be exploited? Will they use social engineering against the CEO so he or she will give up their email credentials, or attack the supply chain to disrupt operations or cause reputational harm? Do you know how your digital attack surface appears to attackers and what vulnerabilities exist?
Step 3: Determine your capability to defend, detect, and respond. Are security controls optimally configured to combat relevant threats, and identify where there are blind spots in either processes or technology? Would you know if you were breached? FireEye’s annual M-Trends report shows the global median dwell time was 55 days from Oct. 1, 2017, to Sept. 30, 2018. That means attackers are operating in environments for approximately two months, on average, before they are detected, which is a marked improvement of almost 50 percent from last year’s report, but still leaves significant time for adversaries to do extreme harm to business and reputation.
Simply having a CTI capability does not make these challenges go away. However, when a capability is holistically designed, it can provide indispensable knowledge to inform strategic, operational and tactical stakeholders across the enterprise. To build and operate a successful and robust CTI capability, consider establishing the expected resulting competencies with stakeholders first. This will be pivotal to ensuring end-state business objectives, goals, and outcomes are clearly identified and agreed upon. A key objective when designing the CTI capability will be to align to a recognized framework, such as the intelligence lifecycle. Doing so will help ensure structured and repeatable processes are employed and will also allow the organization to measure the capability for success. Measuring CTI will allow you to not only understand what you do well, but where improvements need to be made.
A comprehensive CTI capability will provide support for a wide range of organizational functions, and utilizing a service-provider approach is key to understanding each of their needs (needs = intelligence requirements). A thorough understanding of intelligence requirements supports:
- Collection Strategy: What intelligence sources will fulfill stakeholder needs? Will the program use paid external sources and open sources, and what internal sources will be used? Where are there gaps?
- Processing: How will collected data be turned into information and what are the technology requirements?
- Analysis: Does expertise exist to analyze and interpret information to determine stakeholder courses of action and threat impact?
- Production: Can finished intelligence products be produced that trace back to stakeholder needs?
- Dissemination: Have product frequencies and distribution methods been determined with stakeholders?
- Feedback: How do we know intelligence products are helping our stakeholders make informed decisions to reduce cyber risk across the enterprise?
CTI offers organizations the opportunity to create a proactive cyber security posture with the ability to provide positive outcomes for the enterprise, including:
- Understanding who is targeting you and why
- What investments you need to make to remain vigilant (people, processes and technology)
- Effectively scoping incident response investigations
- Enabling hunting operations to be guided by intelligence
- Adding context to alerts facilitating effective classification
- Prioritizing patches based on your unique environment and needs
Baseball teams use the shift defense because they've studied their opponents, and with an increased knowledge of their behavior and tendencies, they are better prepared to defend against them. This captures the core objective of CTI: understanding threats relevant to your organization to better manage cyber risk.
Find out how FireEye Threat Intelligence can help shape your organizational practices based on its unique needs and threat landscape.