Toward Strategic and Proactive Threat Intelligence Programs
In 2015, ESG did an in-depth research project on cyber threat intelligence usage at enterprise organizations (i.e. more than 1,000 employees). The goal of this project was to determine how large firms were using threat intelligence, what challenges they faced, how they were addressing these challenges and what their strategies were moving forward.
The research revealed that many threat intelligence programs were relatively immature – 40% of threat intelligence programs had been in place less than 2 years at that time (note: I am an ESG employee). Cybersecurity professionals were also asked to identify the top objectives for their organization’s threat intelligence program. The top results were as follows:
- 38% said, “improve automated incident prevention.” In other words, CISOs want to receive indicators of compromise (IoCs) like rogue IP addresses, web domains, and URLs from threat intelligence feeds and then automatically generate things like firewall rules for blocking access to these malicious network destinations.
- 33% said, “use threat intelligence to automate security operations and remediation activities.” This is like the previous answer but more closely related to automating a process rather than a technology action. An example might be automatic access to threat intelligence as part of a standard process for security investigations.
- 28% said, “establish a central threat intelligence service to help guide the cybersecurity activities of smaller units within the organization.” This is purely an organizational play. Rather than have individuals purchase and consume threat intelligence willy-nilly across the organization, it makes sense to centralize this function to maximize efficiency and establish a center of excellence.
Fast forward to 2017 and these priorities haven’t really changed. Now there’s nothing wrong with this list, organizations should be centralizing threat intelligence and using it to automate security operations. So, what’s the problem? When it comes to threat intelligence programs, many organizations are simply too myopic and tactically focused. That’s really what’s reflected in the ESG research – good start but it’s time to move beyond cybersecurity/IT operational use of threat intelligence alone.
In fact, leading-edge organizations I speak with use threat intelligence more strategically and proactively, using an “outside-in” threat intelligence model with objectives such as:
- Tracking cyber-adversaries. More advanced threat intelligence programs seek to answer a few fundamental questions: Who is attacking my organization? Why are they attacking my organization? What methods are they using to attack my organization? Many immature threat intelligence programs only see a subset of this information by focusing on gathering IoCs. Again, a good start but not enough. If you know what your enemies are trying to do, you can better anticipate their tactics, change security controls, and know what to monitor to mitigate risk. As Sun Tzu said, “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
- Understanding, communicating, and addressing pending business risks. It ain’t industry hyperbole anymore, cybersecurity really is a boardroom issue. With proactive threat intelligence programs, CISOs will have the knowledge to present a cogent business risk picture to the board with associated strategies for risk mitigation. And with a global threat intelligence view, this risk mitigation strategy can be extended to geographic risks, industry risks, third-party risks, etc.
- Threat hunting. Armed with knowledge about which threat-actors are attacking and the weapons they tend to use, security analysts can engage in hunting expeditions, looking for kill chain indicators, compromised systems, and weak third-party incursion vectors. Sophisticated organizations can also emulate threat actor behavior in penetration testing exercises. To quote Sun Tzu once more, “victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win”
Finally, proactive organizations are well along the way to integrating threat intelligence into a more universal security analytics and operations platform architecture (SOAPA, here’s a link to a blog I wrote about SOAPA). This can help them contextualize, enrich, and act upon important intelligence across disparate security operations tasks in a timely manner.
Over the past few months, I’ve talked to several vendors who understand the difference between tactical and strategic threat intelligence programs. These include folks like Anomali, BitSight, FireEye, Flashpoint, LookingGlass Networks, Recorded Future, Threat Connect, and ThreatQuotient. Some of these vendors sell products, some sell services, some sell both. This group (and others) understand the “outside-in” approach of threat intelligence and the associated benefits so they may be a good resource for CISOs looking to get much more from threat intelligence investments.