Posted November 9, 2016
Recently, I had the opportunity to present on Building Successful Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. Programs at the CISOPlatform conference in Goa, India. The conference brought together security professionals from across India and further afield. I appreciated the opportunity to share LookingGlass’ insights and to discuss with like-minded professionals the importance of Threat Intelligence for successful risk management.
LookingGlass has many years of experience building, refining, and operationalizing threat intelligence software that is used by clients globally. My presentation at the conference built upon this know-how and I wanted to share five proven ways you can build successful threat Intelligence programs.
Insight #1: Data is not Intelligence
A Threat Intelligence (TI) program does not just happen without conscious and thorough planning. One of the foundational aspects that all TI programs must understand and take to heart is that intelligence is data that has been refined, analyzed, or processed such that it is:
- Relevant: The information must relate to, or at least potentially relate to, your enterprise, industry, networks, and/or objectives.
- Actionable: It must be specific enough to prompt some type of response, change, action or decision, or inform an explicit decision not to act.
- Valuable: Even if relevant and actionable, if the data (and the action) do not contribute to a useful business outcome, it bears no value.
It is important that security professionals know how to discover relevant, actionable, and valuable intelligence. Below, we list out some best practices when employing a threat intelligence program.
Insight #2: Threat Intelligence may apply broadly to your organization’s business practices
Many security professionals are focused on securing the networks or systems they are employed to protect. However, when justifying the investment required for a Threat Intelligence program, they should consider the broader impact that TI has across the entire business.
Threat Intelligence should allow you to protect your business interests across a wide variety of areas, including:
- Data: Allows you to protect intellectual property against unauthorized disclosure as well as worms, viruses, Malware: Software that is intended to damage or disable computers and computer systems., etc.
- People: Allows you to understand social engineering, executive threats, and human resource threats.
- Assets: Allows you to protect physical facilities and other brick-and-mortar presence.
- Brand: Allows you to protect against rogue mobile applications, trademark violations, etc.
- Revenue: Allows you to protect revenue streams. Ultimately, any threat that is successful on your network or physical assets has the potential to negatively impact revenue.
Insight #3: While determining Threat Intelligence program requirements, consider all of the departments within your organization that can leverage these programs
Traditionally, the Information Security and Cyber Threat teams are directly impacted by Threat Intelligence programs that secure the systems for which they are responsible.
However, Threat Intelligence programs impact many other organizational functions, though it may often not be immediately obvious. These can include:
- Physical Security
- Marketing & Brand
- Human Resources
Insight #4: Imagine the complete Threat Intelligence Program and build towards it incrementally
The complete threat Intelligence program process typically looks similar to the above diagram.
Let me walk you through the steps in the diagram, as they are essential to building a successful Threat Intelligence program:
- Information Requirements: One of the most critical steps is to determine what information must be gathered and the outcomes expected once this information has been processed into actionable intelligence. Consider all of the different forms of data that will be collected across cyber, physical, brand, Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers., etc. The key is to start small and focused, and then expand once you’ve established successful metrics for that set of initial data.
- Task Collection Systems: Taking the requirements of data collection, configure and setup software (and possibly human collection) to collect data that will be leveraged by the subsequent elements within the threat intelligence program.
- Collect Data: Explicitly collect the data from all the sources provisioned as part of tasking the collection systems.
- Vetting/Exploitation: Review and filter data that may allow significant data reduction to only pass onto the next analysis step.
- Analysis: Analyze and correlate the raw threat data turning it into relevant threat intelligence. Identify threat responses such as reports or threat mitigation actions such as blocking domain names or IPs within firewall rule sets.
- Production: Create the reports and rule updates based on the analysis.
- Dissemination: Distribute the intelligence reports or mitigation actions to the relevant teams.
- Take Action: Take the mitigation actions as identified by the analysis and production steps.
- Repeat: Based on metrics and reports, refine and improve the data, process, and tools.
Insight #5: Consider all aspects of the program
To ensure project success, you have to consider not only the software that must be created or purchased, but how that software fits into your overall organization. For example, the people who will run that software, their goals and expertise, job functions, capability to deliver on the goals the software is helping with, etc.
Here are some aspects to consider:
- Team: Who has to be hired? This includes managers, Tier 1 and Tier 2 level analysts, and how they are organized and located across geographic regions to provide 24×7 support.
We recommend at least one manager and several Tier 1 and Tier 2 analyst level personnel to ensure that you have both sufficient geographic and time zone coverage.
- Roles & Job Functions: What specific team roles need to be filled (i.e., infrastructure, cyber analysts, physical security analysts, brand & reputation specialists, phishing and takedown services, and rogue application analysts)?
Obviously, hiring specialists in all these areas may not be possible, so focus on the skills and expertise that are most relevant to your organization and hire the best skills match.
- Process: How is the data collected? What software must exist to collect it, correlate it, and make it available to analysts in the workflow that is defined to process your Threat Intelligence?
- Tools: Choose software that not only manages data, but also the process, people, and service needs of the TI program in general. Commercial Threat Intelligence Platforms like ScoutPrime can assist with this task. Software functions may include time management of the analyst team and alerting and incident job management scheduling.
- Metrics & Reporting: What reports across the TI program need to be created – including daily, weekly and monthly metrics – to enable the executive team to make make timely decisions? Reports that are focused on specific incidents and threats can be passed to other teams (including network and threat mitigation teams).
- Connections: Envision the TI program as a key enabler in a larger security infrastructure, both within the organization and globally. Takedowns are often required and must leverage external assets that will require good relationships with other cyber security personnel to ensure efficient turnaround when necessary.
Threat Intelligence programs combine human and machine systems in a very exciting way. It’s not just an intellectual challenge but a human challenge to build an effective Threat Intelligence program. It requires planning, analysis, execution, and refinement across multiple people, teams, tools, processes, and data.
If you have questions, comments, or would like to share your own experience with Threat Intelligence programs, please reach out to me at @tweet_a_t.