Is Cyber Threat Intelligence necessary?

Cyber Threat Intelligence (CTI) may seem like a recent development among cybersecurity practitioners, but its concept and uses can be considered as important as warfare or business intelligence. Challenged by conflicting demands for resources and efforts, organisations worldwide can leverage CTI to develop a proactive cybersecurity posture based on informed decision-making and proved detection of threats. As defined by Gartner, threat intelligence is evidence-based knowledge (e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing or emerging menaces or hazards to assets.

Similar in warfare, intelligence is key for successful detection and deterrence to unknown adversaries. Military intelligence uses information collection and analysis approaches to provide guidance and direction to assist in decision-making. An assessment of data from a range of sources, directed towards the mission requirements or as input gathered as part of operational or campaign planning. In order to provide analysis, information requirements are first identified, and then incorporated into intelligence collection, analysis, and dissemination.

Types of Threat Intelligence

There are a number of service providers offering CTI insights and analysis to companies that are susceptible to cyber threats. Faced with wide-ranging of risks and dynamic developments in the threat landscape, CTI helps CISOs and IT security teams to identify their blind spots quickly and assess readiness of their protective measures and defence mechanism. The aggregated findings on threat patterns—especially when it is segmented by industries, would raise the credibility and robustness of in-house cybersecurity assessment when the Board and management ask for relevant data. Thus, there are three types of threat intelligence: Tactical, Operational and Strategic, where organisations may focus on all three or selected one/s for their business purposes, such as the uses of threat intelligence:

1. Tactical Cyber Threat Intelligence analyses interactions between the technology environment and threats and is typically used to assist in mitigation of active or expected threats such as a malicious domain name or attacks such as phishing. It is the easiest to be deployed in terms of resources among the three types to identify simple indicators of compromise, but it has very short lifespan.


2. Operational Cyber Threat Intelligence considers historical capabilities, affiliations and motivations of threat actors, and is used mostly to make resource-allocation decisions around real and perceived threats. It has longer lifespan than tactical as most threat actors do not change the way they operate often and quickly. CTI teams with the mission objective to better understand the adversaries (behind the attacks) would see value in this type of intelligence.


3. Strategic Cyber Threat Intelligence focuses on the future, including emerging trends, and is used to make longer-term decisions. Strategic intelligence tends to be the hardest form to generate. It requires good understanding of both cybersecurity and the nuances of the world’s geopolitical situation during the data collection and analysis. For example, state-organised attacks are usually linked to geopolitical conditions. Also, financially-motivated cybercrime groups are always evolving their techniques to achieve bigger payoffs.

Information is not Intelligence

Raw and unfiltered information that is not actionable is not intelligence; such information needs to be evaluated and interpreted by trained analysts and be aggregated from reliable sources and cross-correlated for accuracy. To transform information to become intelligence for proper decision-making, organisations can consider the five steps:

1. Planning and Requirements
   A clear mission based on your CTI programme’s requirements, sets a clear path on the types of information collected and the outcomes in mind.


2. Collection and Processing
   There is a lot of information available but not all of types of information is meaningful to your mission. Thus, data acquisition should address how, when, why and what should be collected to fulfil the requirements. Automated tasks for data collection would help to reduce time if the organisations have multiple systems and tracking mechanisms.


3. Analysis
   Intelligence analysts would evaluate, analyses and interpret the processed information against requirements, in order to assess the confidence, relevance, likelihood and threat impact. Teams can also assess the gaps in data collection at this stage.


4. Production
   The intelligence products such as briefings and technical reports, are produced in a timely manner and be actionable and relevant to stakeholder needs. Any deficiency to requirements should be documented for future improvements to the intelligence cycle.


5. Dissemination and Feedback
   Intelligence products are presented to stakeholders, with outline on expected courses of actions and how stakeholders can evaluate the intelligence received. Feedback is important for the CTI team to review programme’s requirements continuously, especially when adversaries’ behaviours and tactics can change across time.

Personnel involved

The cost for CTI implementation depends on the organisation’s purpose for such information. For companies that wish to disseminate the threat insights to their subsidiaries and as a way to audit their critical vendors, it pays to invest in information collation from credible data points. CIT personnel should ideally have some understanding in risk assessment, to ascertain if the information gathered is valid and useful for their organisation’s cybersecurity posture and identified vulnerabilities. There would be a need to connect the dots across during information analysis, to make sense if there could be any hidden spots that are not immediately apparent. Such information may not be limited to system issues or software performance, as breaches can be caused by both external and internal actors. For instance, are we relying on key suppliers handling our business data, that are using on systems that require regular patching? Has there been organisational-wide retrenchment in one of our supply-chain partners?

Personnel and stakeholders involved in any of the three types of threat intelligence are as follows:

1. Tactical – Security Operations Center (SOC) analyst, and personnel involved in SIEM, firewall, endpoints or IDS/IPS.
2. Operational – Threat hunter, SOC analyst, personnel involved in vulnerability management, incident response or insider threat
3. Strategic – CISO, CIO, CTO, Executive Board, personnel involved in strategic intelligence

Potential Pitfalls

While CTI can be used by all organisations of different sizes and scale, not all organisations are able to benefit meaningfully from their investment in CTI. Some potential pitfalls for CIT deployment are:

1. No or limited analysis to the information collected: Most organisations focus their efforts on basic use cases, such as integrating threat data feeds with existing network, IPS, firewalls, and SIEMs — without leveraging the insights offered. Without insight, there is no intelligence for proper decision-making.


2. Significant amount of information collected that is irrelevant to the organisation’s specific requirements: For instance, a pharmaceutical company would value its industry’s root cause analysis on data breaches more as compared to latest strategies deployed by cyber attackers for IT industry. Framing the information criteria in the context of companies’ business needs not only strengthen companies’ focus in their cybersecurity posture, but also add value to CISO’s efforts in buy-in from the management, especially when seeking additional budget and resources.


3. Not able to garner stakeholders’ feedback to improve the relevance of intelligence presented: CTI cannot be effective if it only depends on the efforts of the technical personnel. It requires input from management on the business requirements, so that intelligence can be sharpened and address organisational needs better.


4. Not able to sustain CTI efforts across time: While it takes some efforts to start a CTI programme, the intelligence gathered improves across time with timely feedback loop from stakeholders and team’s continuous improvement to the intelligence cycle. Aborting the programme before it has the chance to mature, would not enable the organisation to establish its fundamentals in intelligence gathering and threat analysis.

Should my organisation implement CTI?

It depends on your organisational needs and if CTI can play an important part in enhancing your competitive edge and cybersecurity posture. There are various approaches to implement a CTI programme, and companies need to first allocate time, efforts and resources to ensure their programmes can be fine-tuned along the way. Results are not overnight; Management’s project sponsorship and pre-determined outcomes are integral drivers to CTI team’s performance and value-add in order to achieve organisation’s cybersecurity maturity.

Biography

Yvonne Wong

Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015. Prior to GRC, she has been involved in branding, communications, intellectual property management and strategic planning work in private and public sectors. She is presently the Senior Manager in the Yishun Health Data Protection Office.