I have been working as a Cyber Threat intelligence area from quite a long time and today I want to talk about a question that I often get asked.
Do we need Cyber Threat Intelligence?
With this article I will try to answer as much as I can based on my personal experience.
Firstly, one must understand Cyber Threat intelligence and how it can help your organisation. But before we venture into Cyber world we must know Intelligence has always been there before Cyber was even a word. Simply, put Intelligence is ability to acquire certain knowledge and skills and apply where applicable or where they fit. However, as we know Intelligence is a very broad and there can be multiple answers to the question, how can we select one single answer?
Article from Martin T. Bimfort evaluates multiple definitions and perceptions of the person who is defining Intelligence in there own context with the knowledge and skills they have gathered in there field.
SANS CTI course generalized the definition as following:
Intelligence is the collecting and processing of information about a competitive entity and its agents, needed by an organisation or group for its security and well-being.
So, meaning of Intelligence for military individual and a chess player can be completely different and they both be right. However, is it possible they can have same goal? Yes. We all want to win!
Who are we are trying to win against? Enemies, nation state attackers, rival organizations or someone sitting next to you. Let’s call them Threats – internal or external. So does this threat existed before Cyber? Of course they did. However, the threats themselves were limited with their knowledge and skills compared to now.
From the beginning of the world, there has been war, where Intelligence helped to prepare against enemies. However, this was mostly HUMINT – Human Intelligence, where one of your trusted individual would go around enemy states and give the information back. We didn’t had emails so Falcon, dove were used to transfer messages. Than came ciphers to hide actual messages, morse code etc. From then to now we have seen tremendous uptick on tools and technologies that aids us in defending against these threats. Main point still remains, our threats have same tools and technologies. As time went by, Cyber Intelligence came into existence and now everybody wants to do it.
Note: Intelligence is a field of expertise and not everybody can do it. Steer away from those who claims, we provide Cyber intelligence or Threat intelligence services and just sharing IP addresses and sending email notification without context.
So coming back to the main point what should organizations consider if and when they require Cyber Threat intelligence services and what it actually is.
For me main reason to have a Cyber Threat intelligence program is that it provides actionable outcome or information that helps any organization to understand their security posture, how to deal with current threats, fills any security gaps and assist in reducing over all risk. For any organization that is planning to get into Cyber Threat Intelligence following are my prerequisites:
- Have a management agreement|vision|understanding in why they want the Cyber Threat intelligence program.
- Make sure its not a checkbox that needs to be ticked because of a compliance or insurance or its just cool to have it.
- Understand current Risk model of your organisation and works towards a strategy that aligns to your risk model.
- Understand Intelligence have different categories and they all require equal attention. Will discuss more in coming articles.
- Hire expertise – being blunt, companies do tend to transfer or promote internal staff who lacks knowledge and experience in cyber intelligence including adversaries tools and techniques and believe it will yield positive results but actually steers the team to never ending ocean.
Organization may have more or less prerequisites, however I have seen some organization will just implement a program without considering any of the above points.
Consider following DONT’S:
- Do not believe that Cyber Threat intelligence is achievable by getting a platform or a service. It will help but they are just to supplement an established Threat intelligence program and assist in finding missing pieces.
- PowerPoint presentation IS NOT EQUAL TO expertise in Cyber Threat Intelligence. There are lot of vendors now jumping in Cyber Threat intelligence that believes a nice platform with indicators going to SIEM is the intelligence. They are just pretenders and one should stay away from them.
- Peer pressure : Do not think that your peer has Cyber threat intelligence program|vendor|platform, we should have that as well. Many organizations have done that mistake by just following what peers do or are doing, but forget the most important part to understand their own organization requirements, threats etc. This leaves them starting their journey with somebody else’s goal.
Once we understand our prerequisites and what is required we take a step further and understand what and Cyber Intelligence program should do. I have created my own Pyramid of Cyber Threat Intelligence and hope it can help others.
So how I read this. The bottom tip of the pyramid is where Intelligence provides actionable information which can be one or more shown under the line.
Threats are known to the organization via social media, vendor posts and direct notification and/or news articles. Information gathering starts from there and multiple phases that are shown in the pyramid. Assessing and analyzing available data and identifying actionable information and disseminating the same to the relevant teams within organization to prepare our defenses against the identified threat is an output of Intelligence.
I also use the Pyramid to set my priorities. Closer to the intelligence section higher the priority it is. Organizations can take similar approach but may have different pieces that makes the pyramid. Remember the pieces should align to your organization Risk model and/or managements vision for what Cyber Intelligence team are supposed to do.
So answer to the question do I need Cyber Intelligence program is YES. Following points summaries my ideology that organization may want to follow when you want to start with the program:
- Gather requirements from your management and understand their vision of the Intelligence program.
- Understand current Risk model of your organization.
- Identify key people in your team with expertise|experience in Cyber Threat Intelligence and if not available consider hiring them.
- Once requirements are set, plan to put the requirements into action. This involves creating processes. Processes should be created keeping your audiences in mind. Audiences are the people who will receive this actionable information.
- Identify current tools and technologies already in place that aids the team in providing the information.
- If provided tools are not able to assist Intelligence team in their tasks look for alternatives. Alternatives firstly should be in-house development or an open source tools. However, these alternatives although has no direct cost involved, one must understand there is an indirect cost involved such as maintenance, hiring expertise to build the tool and managing the tool etc.
- Collect evidence for what is working and what is not. The evidence can help the team to prepare case to the management if there is any chance of asking more finance if/when required.
- If the team is decided to get external help identify which gaps are you trying to fill. Convert the gaps into use cases and the evidence collected will help us in the stage And if we decide external help is required, following are the few point to identify vendors:
- Identify vendors
- Convert the gaps into use cases. Provide the use cases to about 3 vendors.
- Check with your peers. This helps in to understand why they choose certain vendor.
- Do a bit of research of known vendors with expertise in your line of business
- Look up there external presence such as public articles, intelligence reports, known work with law enforcement etc.
- Once identified give them the use case and see the outcome and verify whether it is actually filling your gaps.
- If yes take it to the management
- Cross Fingers 🙂
Before finishing DO NOT consider following vendor types :
- Vendors with no public presence or any evidence of helping community.
- Consultancy firms who just talks about in social media and conferences with no actual work in intelligence.
- Vendors who are not in expert and does multiple things and thinks adding Cyber Intelligence service on the brochure is the way to go.
I would still like to name few vendors that one should check out. This is purely based on my personal experience and their assistance to community.
- GroupIB : Good with their malware and carding information. Been known of IR in multiple countries.
- Flashpoint : Good with their malware intelligence.
- Recorded Future : Good with their public blog articles and presentations.
Also, wanted to thanks Robert M. Lee, instructor in SANS for Cyber Intelligence course.
Intelligence should assist in making decision to assist organization in improving its security posture. Intelligence starts with your logs so make sure you listen to them what they have to say. Intelligence should sit in the middle of all other teams and can assist at every stage within organization so transparency and sharing of information helps.
I hope the article is useful. Thoughts and feedback are welcome.