Cyber Threat Intelligence or (CTI) as it’s commonly known is the act of gathering information from a range of different sources which help a business to understand past, current and future threat trends against their organisation. Of course, this information is analysed, and used to help minimise and mitigate potential cyber threats.
Cyber Threat Intelligence is designed to provide a better insight into the threat landscape, properly managed cyber threat intelligence enables a business to be proactive about understanding their biggest risks. This can range from configuring security tools appropriately to board level strategic decision making.
What is Threat Intelligence?
To answer this we need to break it down, understand what a threat is and then understand what intelligence is.
Threat – An expression of intent to do harm. In a cyber context simply something that exploits a vulnerability. A threat is not the vulnerability itself; it is whoever takes advantage of that vulnerability.
Intelligence – A Google search tells us Intelligence is ‘The ability to acquire and apply knowledge and skills’ and ‘The collection of information of military or political value’ The keyword here being value. If there is no value-added from the collection then it simply remains just information, it doesn’t get used, has no value to make any decisions from.
So in a nutshell then, ‘Threat Intelligence’ is Information about adversaries (Threat Actors) that is used to make a decision. Therefore, understanding what adversaries are thinking, feeling, and doing is how we would counter their attacks.
What is its purpose
In it’s most simple terms and in an ideal world we want to pre-empt and defend ourselves before attacks can happen, in the real world it is all about understanding your business, who your likely adversaries might be, how they would attack, exfiltrate data and cover their tracks and ti defend against those.
Common Pitfalls – This will be the lengthy bit!
No clear strategic goal or roadmap
Trying to embed a Threat intelligence Framework without a clear roadmap and stakeholder support is an exceedingly difficult task, yet this still does happen. Unfortunately, this leads to many frustrations for everyone involved. Misunderstanding and miscommunication are common without a clear strategic goal.
Not having the basics in place
If you do not have a good solid foundation in place, proper patch management, vulnerability identification, Regular Penetration Testing, SIEM, SOC, Policies etc then implementing a Threat intelligence team or framework will be next to useless I’m afraid. It would be like trying to protect a sieve.
Collecting Everything
Probably the most common issues I have encountered is that there is so much information being collected it is impossible to extract the correct intelligence to make any decisions. More information is not better and will ultimately lead to worse intelligence and the wrong strategic decisions being made.
Not understanding the data
All data collected needs to be analysed in some way before it becomes useful. There are varying different methods of doing this
Useless Reporting
Again, one of the most common issues is the Threat Intelligence Reports being disseminated to senior management just repeating what is already in the news and known about. This is not intelligence, has no use and is very ineffective. No decisions of any kind can be made from this. An example of this would be a new attack surfacing against Medical Institutes stealing medical records but your business is Financial. Huge disconnect and not relevant. Useful information, but not intelligence for your niche. Park it!
A Threat intelligence report should always be split into Strategic, Tactical & Operational intelligence, written for the appropriate audience and disseminated to the correct teams who can then make the necessary decisions.
Getting the right experience
Always a difficult task to get the right people in situ. However, for something so critical does require a person who has effective experience in dealing with threat intelligence and embedding these functions within organisations. It doesn’t mean to say that internal staff cannot be trained to continue to run the program. If you get this wrong it is just a waste of everyone’s times and money in the end and ultimately offer little to no value.
Insufficiently funded
It does not have to be an overly expensive outlay to embed something effective and deliver benefit, however, budgets need to be thought about. Like most security programmes, little tangible output is seen. It is better not to have anything than a poorly working function.
Not fully understanding the legalities of collecting Threat Intelligence
Fairly straight forward but often overlooked, make sure you are fully compliant with your country’s laws. Each country has it’s own specific acts.
What’s the best way to get started?
A solid strategy and scope will be needed from the outset
Some questions to ask yourself before you take the plunge
- What is the business driver for wanting such a function?
- What is the desired output from such a function?
- What is the long-term strategic goal?
- Do you have sufficient resource and headcount?
- Who in the businesses will consume the intelligence?
Some high-level technical questions
- Can you describe the types of threat actors that would target your company?
- How would you perceive them targeting your company?
- Why would they be targeting your company?
- Do you already have access to any data within your business?
- Do you already have devices that can add/consume Threat Intelligence?
- What type/sources of data would you collect?
- Do you understand your current environment?
- What are the key pieces of information your business would need to make a decision?
- What is the lowest cost solution that could achieve your goals?
- What kind of alerts will help determine if your company is under attack?
For further information or guidance, don’t hesitate to contact one of our Cyber Threat Intelligence experts.