For intelligence to drive a security program, organizations need 1) a vehicle to drive, 2) a direction to go, 3) a dedicated driver, and 4) an understanding of the terrain as well as the ability to look back, pivot and maneuver when obstacles are encountered.
The Vehicle: Defensive Security
Optimizing threat intelligence requires a defensive security team with the ability to recognize and respond to incidents, identify and patch vulnerabilities, and track and resolve risk.
Programs do not have to launch in a fully-matured state, because threat intelligence and the environment can be used to guide program development, facilitate continuous improvement, and achieve increasingly higher levels of maturity.
However, even from the beginning, it is critical to the development of a threat intelligence program that if and when an organization identifies a threat, they are able to mitigate or resolve the threat.
The Direction: Priority Intelligence Requirements
Initially identifying the direction a threat intelligence program will travel can be as simple as highlighting an organization’s key threats.
Priority Intelligence Requirements (PIR) assist in addressing key threats by providing a series of questions the threat intelligence team must answer.
No single program is suitable for all organizations. Different organizations will have different priorities. For example, if an organization has significant research and development or high value intellectual property, the first PIR may be to identify:
- Who is interested in our data and what are their tactics, techniques and procedures?
However, if an organization is inundated with phishing emails related to wire fraud and their position in a supply chain, the first PIR may be to outline:
- What are the key techniques utilized for wire fraud and supply chain takeover and the proactive steps required to reduce or mitigate the threat?
The Dedicated Driver: Full-Time Resource and Collaboration
A common mistake when developing a threat intelligence program is the failure to provide adequate resources and staffing. In many cases, organizations will assign a person the role in addition to other existing duties. Organizations often balk at hiring a full-time, experienced, threat intelligence analyst. This approach is likely to fail. Without dedicated focus, a part-time analyst will be pulled in too many directions to be able to accurately and effectively perform all of the necessary functions and establish a successful intelligence program.
This individual may lean on solutions like intelligence feeds that are noisy and lack context, preventing the development of actionable intelligence. Without actionable intelligence, it is difficult to justify a threat intelligence program.
Threat intelligence programs require a lot of diplomacy and collaboration. An experienced and successful threat intelligence analyst will be able to effectively communicate with an organization’s c-suite as well as technical and non-technical peers. Experienced analysts have the skills to provide consistently actionable intelligence. Just as importantly, they have the ability to communicate the reason, the process, and the desired outcomes to stakeholders across the organization.
The Terrain: Choosing the Right Supplemental Intelligence
Supplemental intelligence resources fill in gaps that a Threat Intelligence Program is not able to provide on it’s own.
For organizations beginning the process with one analyst, this may be a platform that assists in the collection of data, a targeted intelligence feed, or assistance from a managed intelligence services provider.
Of critical importance is an organization’s understanding of the unique terrain their company will traverse. This allows them to reinforce their intelligence program and prepare for incoming threats. For example, engaging with a threat intelligence company specializing in Advanced Persistent Threats and nation state actors may not be the right choice for a retail manufacturer, but it is imperative for critical infrastructure. Likewise, a medical facility without a clear understanding of ransomware and how to protect against the latest variants is missing knowledge that could allow them to prevent or mitigate attacks.
Based on the unique characteristics of each organization, it is important to reinforce any Threat Intelligence Program with supplemental intelligence and investigative expertise that maps directly to the threats they will likely encounter.
Regardless of whether an organization is facing cyber-crime, nation state espionage, physical security threats, aggressive online hostiles, or threats targeting their supply chain, it’s critical to have investigative support that helps provide proper context.
The “how”, “why”, and potentially the “who” that inform actionable outcomes determine if a threat or vulnerability requires remediation.
Many threat intelligence providers can provide an early warning, but the investigative follow-through is where the value lies. The ability to rapidly confirm or deny whether a breach is in process can be the difference between success and failure.