A View of Cyber Threat Intelligence

The business case for establishing a Cyber threat intelligence (CTI) capability is getting stronger in some sectors and verticals, and is becoming a focal point for corporate information security teams. In this brief article, I’d like to summarize some considerations and issues related to building capacity in this area.

CTI work stratifies a range of activities intended to deliver practical outputs — from the minutia of blocking a malicious host to assessing the impact of ransomware in the IOT space in 5 years. These activities are components of a methodology that is documented, practiced continuously, and refined as needed. The application of models is a powerful thing and builds tacit knowledge, critical for continuity in teams that are likely to experience turnover.

Companies would be well served by building a roadmap before making any investment in people, technology, or process development. From there, it’s vital to establish Priority Intelligence Requirements based on business outcomes, and a collection plan around them. As data is received, the application of analytical rigour — leveraging models — to what you discover will yield results. Counter unknowns by leveraging scenarios and describing most likely / most dangerous outcomes. Document and challenge any major assumptions along the way. Represent an attacker’s journey, much as we do with our users and customers today for effective product development.

A brief anecdote. The discovery and publication of the Heartbleed vulnerability effecting different versions of OpenSSL invited many attackers to develop exploits targeted at various firms. Scripts to deploy honeypots were also developed soon thereafter in an effort to collect information on potentially malicious IPs and the entities behind them. With research, enough time, and proper configurations, an analyst can extract information of significance from attack attempts and develop a threat actor profile with assessed techniques. What purpose does this serve? An incident response team can bolster defences (test detection signatures) or focus log review tools on certain areas (i.e. hosts) with the right inputs from the CTI team.

The combination of both the explicit (e.g. this is a bad IP) and implicit (e.g. assessing patterns of behaviour) outputs makes this field so exciting. It’s also very young and on a vector to fully merge with big data science. In the future, cyber threat researchers and data scientists will possess the same skills. And they’ll have help from artificial intelligence and machine learning. Automation and integration are inevitabilities but the logic to get there will take significant resources.

CTI can and should enable strategic insights that allow a firm to prepare for disruption, or cause it.

CTI informs more than defensive measures, and its role as a pillar of comprehensive governance, risk, and compliance program cannot be overlooked. CTI can and should enable strategic insights that allow a firm to prepare for disruption, or cause it. (Another likely integration point: BI + CTI) It can be one plugin to inform changes made to people / process / technology as awareness is built around key issues.

Thanks for reading.