An increasing number of companies today depend on their cyberthreat intelligence (CTI) practices to stay ahead of determined attackers and an ever-expanding attack surface. In fact, 72 percent of organizations are now producing or consuming CTI data, according to Help Net Security. Statistics from EY’s “Global Information Security Survey 2018–19” show that about half of companies have developed in-house capabilities for threat intelligence collection and feeds (46 percent) and threat intelligence analysis (54 percent).
But having access to or generating CTI data doesn’t automatically translate into better insights, improved incident response or enhanced decision-making. So how can organizations squeeze the most out of their cyberthreat intelligence practices?
Maximizing a CTI function begins with identifying the stakeholders at various levels of the organization and understanding the goals of those stakeholders in making use of CTI information. What questions will CTI data help answer? How will this data be used? Once your CTI practice is off the ground, consider automating parts of the process to increase efficiency and free up human time for more strategic tasks. More mature organizations should review how actionable and accessible cyber threat information is, with the ultimate barometer being if the information is used throughout the organization during decision-making.
A Road Map to Improve Your Cyberthreat Intelligence Practices
Organizations looking for a road map to guide their cyber intelligence efforts will find great value in the “Cyber Intelligence Tradecraft Report,” published in May 2019 by the Software Engineering Institute (SEI) at Carnegie Mellon University. Full of advice for both business leaders and cyberthreat leaders, this comprehensive report not only details the state of cyber intelligence practices in the U.S., but provides a framework to guide companies looking to build or improve their existing practices, sharing insights into high-performing organizations (HPOs) along the way.
The report takes a broader view of intelligence operations, hence the use of the term “cyber intelligence” as opposed to “cyberthreat intelligence,” noting that the former includes the latter (but not vice versa).
The Cyber Intelligence Framework: What Is It and Why It Matters
The SEI report evaluated more than 30 organizations against 33 assessment factors, which were then mapped onto the five elements of the framework. The framework was created to ensure that organizations are deriving as much benefit out of their intelligence practices as possible. The five elements cover both the executive-level strategic view down to what data is collected and how value is extracted from the process:
Environmental context — Ensures organizations have determined a deep understanding of their data, systems and networks, as well as their attack surface and the threats they face.
Data gathering — The process and sources organizations use to generate or collect cyber intelligence data.
Threat analysis — Cyber intelligence received or collected is then analyzed to derive actionable threat information that will be used by the chief information security officer (CISO) and midlevel managers.
Strategic analysis — Extracts information that is relevant to executive decision-making. By its very nature, this is information that pertains to the health, reputation and profitability of the organization and is thus of vital interest to top leadership.
Reporting and feedback — Covers the communication, use and feedback mechanisms required to ensure an effective — or improving — cyber intelligence process.
Most organizations have elements one through three, meaning they have determined the business context, they are able to gather data (whether through their own means or via CTI feeds) and they have some kind of threat analysis capability — again, either in-house or outsourced. However, HPOs differentiate themselves from the pack by their ability to deliver strategic-level analysis, provide timely and customized reports, and receive regular feedback from top leadership about the quality of analysis work.
Most Cyberthreat Intelligence Programs Face Challenges
So what challenges are organizations facing in optimizing their CTI programs? A 2018 report from the Healthcare Information and Management Systems Society (HIMSS) shed light on some of the major barriers facing healthcare organizations specifically.
When asked about the best ways for healthcare organizations to remediate and mitigate cybersecurity incidents, the benefits of cyber intelligence featured prominently. However, a quarter of organizations also mentioned the large number of new and emerging threats as a barrier to making effective use of CTI data as they struggle to simply keep up their analysis of this large volume of data. Other common responses included lacking either the right technologies or tools and the right level of know-how for effective use and deployment of CTI processes.
The challenges reported in the HIMSS document are echoed by the SEI report. Among the challenges holding back effective cyber intelligence processes, the SEI report mentioned:
The gap between technical and analytical expertise, noting that in many cases, analysts are well-versed technically, but not in intelligence analysis, or vice versa.
Lack of resources is contributing to situations such as using outdated tools or data feeds, or the use of systems that make it difficult to use or share relevant data internally and externally.
Lack of leadership buy-in, which is a vicious cycle in cases where the threat intelligence program hasn’t delivered on its promises to executives. Organizations facing this situation would strongly benefit from implementing the recommendations that follow.
Implement Best Practices for Your Cyber Intelligence Program
Among the best practices and recommendations listed in the SEI report, organizations that adopt the following would not only receive short-term benefits, but also long-term improvements, as these recommendations can help with continuous improvement efforts as well.
Develop a Fusion Center
A fusion center can help break down silos and ensure information is shared quickly with all relevant parties. Having a focus on collection management would also help the organization determine who can coordinate intelligence requirements (e.g., What questions are we looking to get answers for? What data sources should we be using to get those answers?).
Work Toward Strategic Analysis
Strategic analysis elevates threat intelligence from a technical focus to being risk-based, and provides briefings to executives containing actionable information. It is holistic in nature, and covers current and future threats, threat actors — including behaviors and evolution of their capabilities — risks and opportunities, such as those stemming from emerging technologies.
Most importantly, strategic analysis provides information that the organization should use to improve its ability to prepare, detect, respond to and recover from security incidents. As the SEI report puts it, strategic analysis produces “the right reports for your organization.” But getting to that stage will also require another key element: feedback.
Improve Reporting and Feedback
One of the most striking differentiators between high-performing organizations and other enterprises is their focus on value to the reader. More than 70 percent of HPOs had a well-defined strategy and timeline to generate their valued reports across a variety of audiences (e.g., CISO, line-of-business directors, board directors). But HPOs also stood out for having clear and regular feedback from top leadership and the board about the value of their strategic reports, including just how often the CTI reports are used when considering big decisions.
Regardless of their current CTI maturity level, most organizations can benefit from leveraging automation. However, organizations will quickly run into the challenging question of what parts of the CTI process they should automate — followed quickly by a host of detailed questions about which standards and protocols to use.
Those organizations can find many answers in the ISAO Standards Organization’s “ISAO 300-2: Automated Cyber Threat Intelligence Sharing” report, published in April 2019. The document provides technical guidelines for organizations wishing to automate the sharing or consumption of collaborative CTI data. This tactical-level document will help implementers answer the more technical questions — e.g., standards, protocols, agreements — as well as provide a detailed process list for determining what to automate.
Adopt Emerging Technologies
In addition to automation, the SEI report also highlights the benefits of adopting artificial intelligence (AI) in cyber intelligence processes, noting that many organizations are using AI and machine learning to assist human analysts, speed up and improve the collection and analysis of data, and generate customized reports for different audiences.
It further states: “Artificial intelligence using machine learning has the potential to relieve human analysts of the burden of manual tasks and free them to think critically.”
Focus on Strategic Value to the Business
As more organizations develop their intelligence practices to include cyberthreats as part of everyday decision-making, it is important to keep in mind that the value of these activities currently ranges from too technical and too tactical to be useful, all the way to strategic briefings that guide every choice. But the stakes are too high to give up, so focus on value — strategic value to the business — get frequent feedback from top leaders, and determine which technologies — such as automation and AI — you need to become a high-performing organization.