This year challenged CISOs, CSOs, and IT teams like never before. With many companies transitioning quickly to remote-only work earlier this year, organizations, employees, and consumers have faced a correlative and dramatic growth in cybercrime, brand abuse, scams, and spear-phishing attacks. While some businesses had robust and resilient cybersecurity processes in place before the pandemic, many found themselves ill-equipped to address the increase in threat activity and rapid shifts in adversarial behavior. Correspondingly, successful decision-makers have discovered just how valuable threat intelligence services are in supporting business continuity, defending brand reputation, and ensuring consumer trust.
But building a cyber-resilient enterprise informed by threat intelligence is not an easy task. Risks and requirements are often as unique and diverse as organizations themselves. Determining factors like industry, size, and market contribute to one simple truth: a one-size-fits-all approach to incorporating threat intelligence does not exist. Some invariants, however, do remain; successful threat intelligence programs must staff the right people in the right positions. Below, I’ll introduce four core threat intelligence focuses to consider as businesses plan and allocate budgets for 2021:
Threat intelligence is best operationalized when leveraged to inform proactive decisions. Of all categories of intelligence, it is the most powerful. A well-positioned intelligence group will create products that combine tactical information such as IOCs with actionable analysis that enables consumers to take action, either reducing threat actor capabilities or damage from successful intrusions. Intelligence is best utilized when enabling the SOC, operational, or strategic management teams to take actions that promote positive business impacts and reduce the likelihood of costly interruptions.
More than any other type, the predictive intelligence function is potentially the most impactful, but it is also the most challenging to operate. Staffing this function is often difficult, and it is easy for teams to narrowly focus on changes to the threat landscape rather than concentrate on business value. Because it emphasizes holistic evaluation over raw data analysis, groups supporting this requirement often need greater business visibility than traditional, tactical TI teams solely focused on remediation and technical intelligence.
While predictive intelligence is the most impactful because it facilitates decisive, preventive action, not all situations involve future events. Strategic intelligence supports the executive level consumer with analysis and insight about ongoing strategic issues. While this can include predictive pieces designed to inform future decision making, more often than not, it informs response to an ongoing issue, concern, or crisis. Intelligence at its core is analysis designed to reduce time to decision and empower the consumer to arrive at better, more nuanced outcomes. By design, strategic intelligence focuses on business impact and the expected losses or gains of particular outcomes or events. Tactical data such as machine-readable information is left out of this type of product.
Incident Response Intelligence
Threat intelligence focused on facilitating faster resolution to ongoing security incidents can make the difference between a sleepless night for a security team and a concerning month for an executive team. Any incident response team operating without threat intelligence support will be ineffective in today’s threat environment. A reinforcing cycle of information sharing between the IR team conducting on-host and network forensics with a dedicated TI member or group will allow the responders to move faster and with greater purpose. TI provides focus and narrows down the possibilities of what the threat actor likely did next. Very mature shops build playbooks for the most common paths taken by the major adversary groups. This allows an IR team to know precisely where to look on a device to find where in an intrusion chain the activity was detected, where to find initial compromise, and where to bolster defenses to prevent further compromise. This type of tactical intelligence, when deployed appropriately, can save hours if not days on an incident response investigation.
The final major focus of intelligence is the hunt function. This can be defined narrowly as direct support to a hunt team whose mission is to look for evidence of compromise in data: a current gap in the security stack or would create too high of a false positive rate to be deployed as standard detection. The key to this narrow definition is to provide actionable insight into how adversaries are adopting tactics and techniques that bypass standard detections. This allows the hunt team to find the activity and either activate incident response teams or create custom detections and prevention capabilities to fill crucial gaps in existing coverage.
In a broader context, all tactical intelligence can fit into this mold. By providing IOCs and other tactical indicators to the SOC team, the security stack, or a specified hunt team, the intelligence team is empowering the defensive capabilities of a corporation to seek out new malicious activity they were previously unaware of. Putting those indicators in for sustained remediation by deploying domains and IPs to a firewall for example, is simply allowing the technology to do the hunting on the human’s behalf.
Insource versus Outsource
The four primary focuses of intelligence all require access to particular data and skill sets. In an ideal world, every company would have a sizable budget to create an in-house intelligence group with the analytic capabilities and data necessary to craft actionable insights and nuanced analysis for each of these four focus areas. Having the team in house allows them to be more responsive and understanding of the business needs. However, this is generally not a practical solution. Several factors make outsourcing this function a more cost-effective and practical solution.
- The data required to build this level of capability is often exorbitant. The requirements that allow a team to move from tactical support to strategic and predictive analysis are significant. Teams that insource the data often spend more of their TI team’s time curating those data sources than adding value to the data pulled in. This results in a significant reduction in the impact of the team.
- There is value in diversity. A team that is insourced can only learn through the activity directly impacting your business or through sharing communities that tend to focus on post mortems of activity significantly after the fact. Having a team that can pull tactics, techniques, and a greater understanding of the threat and vulnerability landscape from multiple customers and engagement allows for a greater shared understanding and improved defensive capabilities.
- The skills required to support these different focuses are varied and low density, making hiring qualified individuals difficult and expensive. Threat intelligence professionals that can execute on strategic and predictive intelligence requirements are rare. Additionally, qualified candidates supporting hunt and IR capabilities should have some experience on the operational side of these missions to understand what truly reduces time to resolution and how to increase the signal to noise ratio of their products. Finding people with this experience who also have the analytical mindset to write the products needed is difficult. Outsourcing your intelligence function places the burden of sourcing, mentoring, and training on a third party, creating a plug and play capability for your security organization.
Regardless of the choices you make when building an intelligence capability, the one foundational question must be: how does this capability help reduce business risk? This is fundamental to building a successful intelligence program and every decision should flow from the answer to that question. Whether you need tactical support to network defenders or strategic and predictive intelligence to inform key business decisions, identifying that need is the lynchpin to building a high value organization.