4 essentials to creating a world-class threat intelligence program
Businesses, large and small, are changing tactics when it comes to information security. Rather than spend hard-earned cash attempting to cover every base defensively, company officials are developing information security postures based on the outcome of risk assessments.
This trend started gaining momentum back in 2012 when the National Institute of Standards and Technology (NIST) published its Guide for Conducting Risk Assessments (PDF). The paper begins, “Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization level, mission/business process level, and information system level.”
The purpose of risk assessments, according to the guide, is to inform decision makers and support their responses by identifying:
- relevant threats to organizations;
- vulnerabilities, both internal and external;
- likelihood that harm will occur; and
- impact to organizations resulting from a successful attack.
Threats are everything
The word threat was mentioned over 600 times in the NIST publication. The authors’ emphasis was palpable, which is understandable. Threats are something neither NIST, nor those responsible for a company’s digital assets, can control. An obstacle understood by Levi Gundert, vice president of threat intelligence at Recorded Future.
Gundert, in his paper Aim Small, Miss Small: Producing a World-Class Threat Intelligence Capability (PDF), mentions, “Threat intelligence as a practice is, at present, still an elusive concept for many companies. Successful threat intelligence programs identify and measure tangible business goals, including reducing operational risk and solidifying a competitive advantage through market differentiation.”
In other words, understanding the where, what, when, and how of a threat is important.
Aim small, miss small
Gundert, a former US Secret Service Special Agent, assigned to the Los Angeles Electronic Crimes Task Force, was at the firing range, and most of his shots were less than effective. The instructor told Gundert to change the paper target so that the edge of the paper was facing him. Gundert did what he was told, moved the target back into position, and fired.
“Assuming there was no possibility I had hit my target, I flipped the target to its original position, and my jaw dropped,” writes Gundert. “The target contained a linear tear through the middle…. I looked at the instructor incredulously.”
The instructor responded, “That’s it. Aim small, miss small.”
“Aim small, miss small” according to Gundert, applies equally well to threat intelligence — a subject that produces an immense amount of data. He explains, “True success in threat intelligence is predicated on constraining intelligence efforts to specific business objectives, which removes the large surface area and leaves only a challenging sliver of value to pursue.”
The components of a successful threat intelligence program
Gundert feels any good threat intelligence program requires both an operational and a strategic component. The operational component includes the following.
- Incident identification: This component focuses on the processing of external attack data from all available sources. Gundert mentions automating this process ensures external attacks and internal incidents will be identified in time to be of use.
- Defensive controls: This component ideally will prevent or mitigate attacks. Gundert adds this component must reflect new data as it becomes available.
Next, Gundert describes the strategic component as involving expert analysis of how current and future threats will affect the business and its assets. The strategic component includes the following.
- Relationship building: Trading attack information with trusted communities such as Information Sharing and Analysis Centers (ISAC) introduces a proactive element, allowing companies to benefit from the experiences of other organizations.
- Proprietary information sources: Besides using threat vendors as sources, in-house data gathering capabilities are important sources of company-specific information and a way to verify vendors. Gundert adds, “For example, building an internal Web crawler that analyzes the web page code of the business’s top 5,000 daily web destinations may provide insight into drive-by attacks.”
- Adversary attribution: Gleaning the reasons behind an attack, motivation for the attack, and methodology of the attack is important not only while the attack is underway, but afterward as upper management will want details.
- Trend identification: Tracking attack tendencies provides insight into future threats and facilitates planning.
- Security awareness: Employee education is critical. Gundert mentions, “Education is a time intensive, but strategic function that adds immediate value when applied systematically.”
- Internal hunting: Companies need to monitor for rogue insider behavior as well as undetected exterior attacks that have breached the company’s perimeter.
- Attacker tools and architecture recommendations: Identifying the Tools, Techniques, and Procedures (TTPs) that correspond to what Gundert calls an adversary’s “choke point” allows IT departments to proactively create a solution.
Gundert suggests that creating a world-class threat intelligence program requires:
- understanding the business and its strategic assets;
- identifying relevant adversaries and their TTPs;
- working in partnership with larger security organizations; and
- building relevant defensive security controls that increase visibility, reduce risk, and increase profitability.
When all is said and done, Gundert suggests, “The success of a threat intelligence program is dependent on the understanding of business objectives, and building processes that allow the business objectives to be met.”