CYBER THREAT ARTICLE - IS CYBER THREAT INTELLIGENCE NECESSARY?
Is Cyber Threat Intelligence necessary?
Cyber Threat Intelligence (CTI) may seem like a recent development among cybersecurity
practitioners, but its concept and uses can be considered as important as warfare or business
intelligence. Challenged by conflicting demands for resources and efforts, organisations
worldwide
can leverage CTI to develop a proactive cybersecurity posture based on informed decision-making
and
proved detection of threats. As defined by Gartner, threat intelligence is evidence-based
knowledge
(e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing
or
emerging menaces or hazards to assets.
Similar in warfare, intelligence is key for successful detection and deterrence to unknown
adversaries. Military intelligence uses information collection and analysis approaches to
provide
guidance and direction to assist in decision-making. An assessment of data from a range of
sources,
directed towards the mission requirements or as input gathered as part of operational or
campaign
planning. In order to provide analysis, information requirements are first identified, and then
incorporated into intelligence collection, analysis, and dissemination.
Types of Threat Intelligence
There are a number of service providers offering CTI insights and analysis to companies that are susceptible to cyber threats. Faced with wide-ranging of risks and dynamic developments in the threat landscape, CTI helps CISOs and IT security teams to identify their blind spots quickly and assess readiness of their protective measures and defence mechanism. The aggregated findings on threat patterns—especially when it is segmented by industries, would raise the credibility and robustness of in-house cybersecurity assessment when the Board and management ask for relevant data. Thus, there are three types of threat intelligence: Tactical, Operational and Strategic, where organisations may focus on all three or selected one/s for their business purposes, such as the uses of threat intelligence:
- Tactical Cyber Threat Intelligence analyses interactions between the technology environment and threats and is typically used to assist in mitigation of active or expected threats such as a malicious domain name or attacks such as phishing. It is the easiest to be deployed in terms of resources among the three types to identify simple indicators of compromise, but it has very short lifespan.
- Operational Cyber Threat Intelligence considers historical capabilities, affiliations and motivations of threat actors, and is used mostly to make resource-allocation decisions around real and perceived threats. It has longer lifespan than tactical as most threat actors do not change the way they operate often and quickly. CTI teams with the mission objective to better understand the adversaries (behind the attacks) would see value in this type of intelligence.
- Strategic Cyber Threat Intelligence focuses on the future, including emerging trends, and is used to make longer-term decisions. Strategic intelligence tends to be the hardest form to generate. It requires good understanding of both cybersecurity and the nuances of the world’s geopolitical situation during the data collection and analysis. For example, state-organised attacks are usually linked to geopolitical conditions. Also, financially-motivated cybercrime groups are always evolving their techniques to achieve bigger payoffs.
Information is not Intelligence
Raw and unfiltered information that is not actionable is not intelligence; such information needs to be evaluated and interpreted by trained analysts and be aggregated from reliable sources and cross-correlated for accuracy. To transform information to become intelligence for proper decision-making, organisations can consider the five steps:
-
Planning and Requirements
A clear mission based on your CTI programme’s requirements, sets a clear path on the types of information collected and the outcomes in mind. -
Collection and Processing
There is a lot of information available but not all of types of information is meaningful to your mission. Thus, data acquisition should address how, when, why and what should be collected to fulfil the requirements. Automated tasks for data collection would help to reduce time if the organisations have multiple systems and tracking mechanisms. -
Analysis
Intelligence analysts would evaluate, analyses and interpret the processed information against requirements, in order to assess the confidence, relevance, likelihood and threat impact. Teams can also assess the gaps in data collection at this stage. -
Production
The intelligence products such as briefings and technical reports, are produced in a timely manner and be actionable and relevant to stakeholder needs. Any deficiency to requirements should be documented for future improvements to the intelligence cycle. -
Dissemination and Feedback
Intelligence products are presented to stakeholders, with outline on expected courses of actions and how stakeholders can evaluate the intelligence received. Feedback is important for the CTI team to review programme’s requirements continuously, especially when adversaries’ behaviours and tactics can change across time.
Personnel involved
The cost for CTI implementation depends on the organisation’s purpose for such information. For
companies that wish to disseminate the threat insights to their subsidiaries and as a way to
audit
their critical vendors, it pays to invest in information collation from credible data points.
CIT
personnel should ideally have some understanding in risk assessment, to ascertain if the
information
gathered is valid and useful for their organisation’s cybersecurity posture and identified
vulnerabilities. There would be a need to connect the dots across during information analysis,
to
make sense if there could be any hidden spots that are not immediately apparent. Such
information
may not be limited to system issues or software performance, as breaches can be caused by both
external and internal actors. For instance, are we relying on key suppliers handling our
business
data, that are using on systems that require regular patching? Has there been
organisational-wide
retrenchment in one of our supply-chain partners?
Personnel and stakeholders involved in any of the three types of threat intelligence are as
follows:
- Tactical – Security Operations Center (SOC) analyst, and personnel involved in SIEM, firewall, endpoints or IDS/IPS.
- Operational – Threat hunter, SOC analyst, personnel involved in vulnerability management, incident response or insider threat
- Strategic – CISO, CIO, CTO, Executive Board, personnel involved in strategic intelligence
Potential Pitfalls
While CTI can be used by all organisations of different sizes and scale, not all organisations
are
able to benefit meaningfully from their investment in CTI. Some potential pitfalls for CIT
deployment are:
- No or limited analysis to the information collected: Most organisations focus their efforts on basic use cases, such as integrating threat data feeds with existing network, IPS, firewalls, and SIEMs — without leveraging the insights offered. Without insight, there is no intelligence for proper decision-making.
- Significant amount of information collected that is irrelevant to the organisation’s specific requirements: For instance, a pharmaceutical company would value its industry’s root cause analysis on data breaches more as compared to latest strategies deployed by cyber attackers for IT industry. Framing the information criteria in the context of companies’ business needs not only strengthen companies’ focus in their cybersecurity posture, but also add value to CISO’s efforts in buy-in from the management, especially when seeking additional budget and resources.
- Not able to garner stakeholders’ feedback to improve the relevance of intelligence presented: CTI cannot be effective if it only depends on the efforts of the technical personnel. It requires input from management on the business requirements, so that intelligence can be sharpened and address organisational needs better.
- Not able to sustain CTI efforts across time: While it takes some efforts to start a CTI programme, the intelligence gathered improves across time with timely feedback loop from stakeholders and team’s continuous improvement to the intelligence cycle. Aborting the programme before it has the chance to mature, would not enable the organisation to establish its fundamentals in intelligence gathering and threat analysis.
Should my organisation implement CTI?
It depends on your organisational needs and if CTI can play an important part in enhancing your
competitive edge and cybersecurity posture. There are various approaches to implement a CTI
programme, and companies need to first allocate time, efforts and resources to ensure their
programmes can be fine-tuned along the way. Results are not overnight; Management’s project
sponsorship and pre-determined outcomes are integral drivers to CTI team’s performance and
value-add
in order to achieve organisation’s cybersecurity maturity.
Biography
Yvonne Wong
Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015. Prior to GRC, she has been involved in branding, communications, intellectual property management and strategic planning work in private and public sectors. She is presently the Senior Manager in the Yishun Health Data Protection Office.