THE ROLE OF
CYBER THREAT INTELLIGENCE IN SECURITY OPERATIONS
November 14, 2016 | by Jeff Berg
FireEye, Inc.
Cyber threat
intelligence (CTI) and its place within security operations – as well as the
broader business – is growing. A recent SANS study found that 93 percent of
respondents are at least partially aware of the benefits of cyber threat
intelligence. However, only 41 percent have begun to integrate CTI into their
security programs and only 27 percent have full integration. While these
numbers highlight a trend toward adoption of intelligence-led security programs
as a widely accepted best practice, for many companies there is still a long
way to go.
Good CTI enables
organizations to anticipate, respond to and remediate threats. There is plenty
of content out there on what makes for good intelligence; however,
organizations cannot rely solely on the content received to drive value across
operations. There needs to be a focus on positioning teams for success. Rich
contextual intelligence is something that requires some preparation and a base
level of capability in order to maximize the value received. Ultimately, it’s
not a plug and play type of product.
Organizations should
be able to answer three questions to begin establishing the foundation of a
cyber threat intelligence capability:
1. What is the organizational mission?
A clear mission
statement will define the role the cyber threat intelligence team plays, serves
to aid in clearly communicating the team’s purpose, provides justification for
supporting and resourcing the team appropriately, and sets expectations of what
to expect from the team.
2. Who is the cyber threat intelligence going to serve?
The key stakeholders
and their specific role within the business, business concerns, and cyber
threat concerns should be understood. This serves as a driver for data, and the
observations that are collected, analysis prioritization and resulting
intelligence communications should be provided to the stakeholder. From a
content perspective, understanding how the information will be presented to the
stakeholder is just as important. A CISO will certainly be interested in
different content than a SOC analyst, though the work of the latter has an
impact on content delivered to the former.
3. What is the organization’s threat profile?
It is critical to have
a baseline understanding of adversaries that may target the organization, their
capabilities and their supporting operations. Understanding motives and intent
helps to clarify risk and assists in a number of key conversations, such as
anticipating threat activity and strategically planning to protect, identify
and respond to relevant activity.
Answers to these
questions will contribute to forming additional basic components of the
program, including definition of intelligence requirements, threat-led
communications and establishing intelligence sources. The ability to enhance
security operations and deliver value across the organization is predicated
upon this basis of understanding. Without these core components, an
intelligence program will not function properly regardless of the expertise,
process sophistication and advanced technology put in place.
A Lifecycle
After establishing a solid foundation,
organizations must focus on program maintenance and upkeep – ensuring that the
program put in place is continuously assessed, enhanced and, where necessary,
refreshed. Intelligence programs are not “set it and forget it” operations.
Consider two factors:
1. Your threat landscape changes…
The threat environment
that your organization is exposed to is subject to shifting motivations,
intents, capabilities and operations. All of this can impact your risk profile
as an organization, which could impact tactical, operational and strategic
concerns. Depending on how dramatic the shift, it could even impact the mission
of your intelligence function.
2. Your organization changes…
Your organization is
in a state of flux as well, with turnover in people and technology. Skillsets
and technology can become obsolete. Knowledge of the threat and the ability of
processes to efficiently stand up during crisis situations can grow stale.
As a result, we’ve
identified a high-level cycle that organizations can follow to help maintain
and advance cyber threat intelligence capability.
Ø Assess
Periodically updating
your threat profile, as well as assessing your intelligence capabilities, will
keep you informed of the changes impacting your program and on what level. For
example, a shift in threat actor targeting methodology and tools may result in
prioritizing responses to an older malware family if it’s being used in
campaigns affecting your sector, or your organization specifically.
Ø Expose and Train
Exposing
organizational resources to relevant attacker tactics, techniques and
procedures will help them stay knowledgeable of threats that relate to their
specific roles. More advanced exercises can test processes and cross team
coordination – especially the ability of threat intelligence personnel to
effectively serve an investigations or response team – which in turn helps to
identify gaps.
Ø Integrate
The results of the two
aforementioned activities should be considered in evaluating the current
strategic roadmap for the overall intelligence program, making modifications
where necessary. This roadmap guides tactical efforts to build and update
components within the program, including process, technology and related
resources.
This cycle can be
applied in an order and at a frequency that makes sense for your organization
and its current state.
Няма коментари:
Публикуване на коментар