Measuring the value of a cyber threat intelligence (CTI) capability and communicating that to executives and colleagues can be tricky. If an organization has a CTI program and isn’t experiencing many attacks, it’s unclear if the program is adding any value. If incidents keep popping up despite tremendous efforts to collect massive amounts of threat data, the effectiveness of the CTI program becomes disputable. So, how can an organization know if they are truly taking full advantage of their CTI capability? Here’s five ways:
1. Identify Actors
Attacks don’t happen automatically. Behind every cyber attack is a person or a group. Identifying and surfacing these stealthy, hard-to-track actors should be the focal point of any CTI program. First and foremost, organizations should know how many of these actors are being tracked by the CTI program. Is it only a handful that are relevant to their specific industry, or are they looking at a broad spectrum of known adversaries based on motivations and tactics? Having a full understanding of exactly who may be targeting you (and why) is pivotal to any CTI program. Just as important is that the capability be dynamic since attacker motivations can change overnight depending on what is happening in the world.
2. Observe Attack Patterns
In order to achieve their goals, bad actors use specific tactics, techniques and procedures (TTPs) to trick humans or exploit software. These methods can be broad, such as with spray-and-pray phishing, or they can be very targeted and specifically designed for a particular environment. For many organizations, it may be useful to think about it in terms of the TTPs laid out in the MITRE ATT&CK framework. Teams can correlate this using data extracted from previous incident responses or red teaming. Additionally, a solid CTI capability should help organizations define which patterns are linked to which specific actors.
3. Expose Vulnerabilities
One of the most common ways attackers get through is by exploiting vulnerabilities. With countless connected systems and applications in use, organizations need to be able to identify vulnerabilities in their infrastructure and determine which are most important—even if no known exploit exists. A strong CTI capability will help by enabling teams to identify the vulnerabilities most commonly being used by attackers. Tracking enterprise specific vulnerabilities by related attack prevalence, remains a tangible aspect of a CTI program and can very easily be communicated to executive management to demonstrate success.
4. Scan for Malware
For threat actors, malware is the tool of the trade. With the right insights on the current state of malware, organizations can remain proactive by implementing protections against certain threats and becoming aware of potentially vulnerable systems. When an attack does occur, many solutions (endpoint security, intrusion detection systems, etc.) will report a malware name and a solid CTI capability will offer additional context on these threats, enabling easier investigation and response. The bottom line: providing analysts with intelligence on malware and enabling them to more easily track malware campaigns shows the true depth of a CTI program.
5. Capture IOCs
When threat actors strike, they leave signatures behind that can be captured as indicators of compromise, or IOCs. These observables may contain information such as file hashes, IP addresses and domain names, and they can be captured in formatted lists (STIX) or rules (YARA rules). Solutions such as SIEMs, EDRs, network traffic analytics or SOAR (security orchestration, automation and response) are better adept at detection and investigation, and can eliminate any human error in deciphering the data. A strong CTI program can produce daily or hourly lists that increase the quality of an organization’s security analytics arsenal. The ultimate goal here is to increase quality of detection and reduce unnecessary downtime.
Wrapping Things Up
In many security organizations, cyber threat intelligence programs have often been hidden for many years or have become very tactical in nature (i.e., IP and file watchlists). But CTI has an important role, from fighting non-commodity attacks to understanding the impact of more mainstream campaigns such as ransomware. Part of measuring the value of a CTI program involves understanding whether security teams are taking full advantage of every component. Only then will security teams be able to act faster and reduce the organization’s risk posture.
We will be covering all this and more at the FireEye Virtual Summit during our session, “C-Suite Conversations: The Value of Threat Intelligence,” on June 11 at 12 pm PT. Head over to our FireEye Virtual Summit page for more details on the event and to register for more sessions.