Cyberthreat intelligence: It’s a growing business (and buzzword) that provides many market opportunities. Consuming threat intelligence data is valuable for organizations to improve their security posture and strengthen their protection, detection and response capabilities.
But there are some sharks in the water. Before you dive deeper into threat intelligence, explore the clear distinction between data and intelligence: Data is a value that is the result of a measurement or an observation. Intelligence, however, is the result of analyzing data and then disseminating it to the right audience.
If you talk to vendors who are trying to sell you threat intelligence information, make sure that they are referring to relevant cyberthreat intelligence — and not just a big pile of data.
The Different Types of Threat Intelligence
The use of intelligence isn’t something new. However, it’s not all about cyberthreat intelligence. Threat intelligence has been used throughout human history — and has been collected from several different sources.
- Human intelligence (HUMINT): The most obvious type of intelligence, which is gathered from humans using interpersonal contact (directly or indirectly). It can also happen more covertly, via espionage or observation.
- Signals intelligence (SIGINT): Gathers information via the interception of signals. These signals can be communication between people (COMINT), electronic intelligence (ELINT) or foreign instrumentation (FISINT), which is the interception of foreign electromagnetic emissions.
- Open-source intelligence (OSINT): Collects information from publicly available sources. This data includes news, social media and public reports. Open-source intelligence, however, is not related to open-source software. The concept of OSINT has existed for years. Yet, the growth of instant communications and the capabilities for large-scale data correlations and data transformations have made it more valuable, especially for the computer security community. OSINT includes social media intelligence (SOCMINT), which is the collection of intelligence based on social media channels, conversations and signals.
- Geospatial intelligence (GEOINT): Collects information from geospatial data, including GPS data and maps. This information can provide additional geographical contextual information on threats. Do not underestimate the possibilities of false flags and be prudent about using GEOINT information for geographical attribution.
- Financial intelligence (FININT): Gathers information about the financial capabilities or motivation of the attackers. In the context of law enforcement, FININT is often used to detect suspicious financial transactions.
- Tech intelligence (TECHINT): Gathers intelligence on equipment and material to assess the capabilities of the opponents. TECHINT allows you to update your protection measures to counter the use of this equipment or material.
- Market intelligence (MARKINT): Collects intelligence to understand the market of a competitor or adversary.
- Cyber intelligence (CYBINT): The collection of data via different intelligence-collection disciplines. In a lot of cases, CYBINT will collect data from SIGINT, OSINT and ELINT. This data will also occasionally come from SOCMINT, HUMINT, GEOINT and other intelligence disciplines.
Start With a Cyberthreat Intelligence Program
Cyberthreat intelligence feeds the detection, prevention and response processes within your computer security program. It is complementary to the incident response (IR) process and helps in reducing the organizational risk. It will support your security operations center (SOC) and provide the necessary input to fulfill requests for information (RFIs) from your management board, directors or other departments.
It also provides the essential context data to prioritize the most critical attacks and continuously update your protection measures. It’s the information that allows you to detect incidents earlier and investigate them to understand the scope — and, possibly, the intentions of the attackers.
Here are three questions to ask before starting your program:
- Is there room in the budget? This might sound like a no-brainer, but it’s easily forgotten. A cyberthreat intelligence program will almost always be a cost center. You can measure its performance, but (unless you’re in the business of selling the threat data) it’s not going to generate additional revenue. Don’t forget that besides the cost of the initial startup of the program, capital expenditure (CAPEX), you will need to budget for the operational expense (OPEX). Tooling, subscriptions and the like will not be the biggest chunk of the budget, however. The center of a strong program is personnel.
- Are the essential IT processes already developed? It doesn’t make sense to spend time on providing threat intelligence information to other IT departments if they are not able to act on the information. Having intelligence without a follow-up action is about as valuable as not having intelligence at all. Being able to increase protection measures quickly, evaluate vulnerabilities and apply the relevant patches — or search for signs of an intrusion — are just some of the processes that need to be already in place.
- Is there access to system, network or application data? A lot of the data that is needed to verify threat intelligence information already resides in your network. Data from firewalls, proxy servers, domain name system (DNS) logs, intrusion prevention and detection events, application logs, antivirus systems and other security controls give you valuable information about what’s going on inside your network. Focusing on the outside threat feeds and threat data — and then not being able to validate this with internal information — is not efficient and will probably cause frustration.
Every cyberthreat intelligence program should include both operational and strategic components. A robust operational component will give you the ability to identify incidents; contribute to the investigation of incidents; and tune the protection and detection controls. A strong strategic component will help you build relationships with other communities and organizations, including information sharing and analysis centers (ISACs); other threat-sharing communities; and vendors and providers of restricted information sources (i.e., sources that provide non-public information for your specific equipment or sector).
The strategic component will identify new trends, evolving threats, emerging technologies and new standards. It will also provide you the necessary information to be able to do adversary attribution, identify attack campaigns and understand the attacker tools. It also will offer architecture recommendations toward your IT department.
Build Your Team
There’s a chicken-and-egg problem: You need a team to run the tools and gather the data. You need tools and data to support your team.
Good threat intelligence analysts can overcome this problem by starting with only a few sources, automating the process and then expanding the number of sources. Start with building the team, which will not happen overnight. In most cases, the team will grow organically. Some teams will not have full-time members — and they may only be able to spend part of their time on threat intelligence.
Find people with different backgrounds, preferably with demonstrated skills in security operations and analytic mindsets. Technical expertise relevant to your equipment and some hands-on experience is essential. Your team members will need to be able to talk to different audiences and write concise, understandable reports. Executive communication skills and excellent writing skills will be necessary.
Find Your Data Sources
Identify the data sources that define your threat landscape; document how these sources will be used; and assign roles and responsibilities within the team for collecting, assessing and distributing the information. Your organization’s internal information can be one of the most valuable threat data feeds to analyze (via threat hunting).
After all, the best source of intelligence is still your own data. Identify a limited set of sources for which you get regular, complete and valuable data and that are most useful for your organization. DNS logs, proxy logs and endpoint anti-malware event data can comprise a treasure cave for information, for example.
Searching for anomalies without a starting point will be difficult. You need to be able to gather malicious domain names, file hashes and other indicators of compromise. You can receive this data by consuming the information that comes from threat intelligence sharing platforms or by actively participating in threat-sharing groups. You can then use the collected information to identify attacks targeting your network quickly. Additionally, this information will help with composing internal threat information reports.
Measure Your Success
When you start your program, you have to define the stakeholders and goals. There should be a good understanding of reports: What is the frequency of the reports? Who receives them? Who should act on them? Who will provide feedback and input?
Measuring success is difficult without describing key performance indicators (KPIs). Make sure these are relevant to your organization and your team. How many intelligence reports has your team produced? What was the feedback from intelligence consumers? Make sure your intelligence reports include a feedback cycle so you can measure the satisfaction of your stakeholders.
Don’t be afraid also to include some easy-win metrics. You can list the number of indicators seen in your network or the number of attacks stopped because of an update of protection measures based on threat data. Of course, metrics can be dependent on the expectations of your stakeholders.
You can also measure the success of the program by looking at the maturity. The lowest level of maturity is a team without a plan and no time reserved to spend on threat intelligence. Increased maturity is having a small number of IT staff spending a limited amount of time per week on threat intelligence. Maturity can then further increase by having more staff spending more time on threat intelligence. A team with medium-level maturity will have dedicated staff members for threat intelligence, whereas a mature team has different dedicated staff members and a team leader for threat intelligence.
Five Helpful Tips for Your Cyberthreat Intelligence Program
- Understand your business or sector. Threat intelligence that isn’t relevant to your business, sector or environment is going to drain your resources without providing lots of valuable return.
- Define your focus and priorities at the beginning of the program. Covering everything is impossible. Don’t get buried by the information. There is always more information to gather — and you cannot simply consume it all.
- Remember that a threat intelligence program is an ongoing (and repeating) process. Be prepared to include feedback loops and ensure service improvements.
- Prepare to automate things. If you only rely on the manual processing and dissemination of information, then your cyberthreat intelligence program will not grow easily. Your ability to ingest data and act upon it in an automated fashion will greatly increase the success of the program.
- Put a basic data classification process in place. This will enable you to consult other departments if you are allowed to share information outside your organization. Implementing something like traffic light protocol, which is explained in detail by the Computer Emergency Readiness Team, can ensure that sensitive information is only shared with the appropriate audience.
Starting with a cyberthreat intelligence program isn’t hard if you make the time to plan. Make sure you hook up to an existing threat intelligence sharing community and learn from their experience when starting your own program.