Threat Intelligence (TI) has in recent years developed from the application of impromptu tasks in isolation across an organisation, to highly co-ordinated cyber-defensive programmes. These programmes are often driven by an array of dedicated expert teams, tools and processes that support entire enterprises and their cyber security strategies.
Notwithstanding this TI evolution, there is still no commonly-held industry-standard definition of TI; nor is there a standard methodology for the gathering and the analysis of insightful information about cyber threats and the likely execution of offensive actions. Some TI is focused on specific threat types, and how to calibrate technological defences to counteract them. Other applications of TI focus on finding out about the motivation and purposes of online adversaries.
TI is increasingly inclusive. The wider its sources of threat information, the more effective TI is likely to be. For example, supply chain partners should be connected into the data gathering loop. As highlighted in Cyber Security Europe’s Autumn 2019 feature ‘Threats That Think’, senior executives should also be integral the Threat Intelligence lifecycle. Even conversational catch-ups between executives at industry conferences can be valuable sources when it comes to piecing together knowledge of cyber adversarial events.
Within this context TI can provide additional value to c-suite: it provides a thought intersection that brings together technological considerations with known facts about the threats to be counteracted against. TI also helps to remove any delusion of randomness that has befuddled cyber defensive strategies beset by malicious actors without identity and with motivation missing. TI helps to explain who is behind attacks and why they attack.
TI helps senior executives to ‘cut through the noise and focus on the threats that are most likely to have a major impact on their enterprise,’ says a briefing from FireEye (‘Threat Intelligence Use Case Series’, 2019). TI reports also provide information on threat actors targeting specific industries, geographies, and enterprise sectors, as well as on their tactics, techniques and procedures (TTPs).
‘TI can help CISOs and senior IT officers improve communication with non-technical top executives,’ FireEye adds, ‘in terms of risks and threats to the business and the financial and political goals of threat actors.’
The 2020 SANS Cyber Threat Intelligence Survey (sponsored by EclecticIQ) defines TI as ‘analysed information about the capabilities, opportunities and intent of adversaries that meets a specific requirement determined by a stakeholder’. Organisations employing ongoing TI programmes focus on understanding the threats they face and the generation of specific factual analysis that informs threat defence – what steps must be taken in response to known threats.
TI is perforce a highly complex undertaking. It relies on a combination of people, processes, and tools to both generate, consume, and act on the intelligence. At a time when industry analysts expect process automation to take over from human intervention in many enterprise cyber security operations, TI retains a steadfast reliance on human brainpower. People generally conduct the analysis that will lead to finished intelligence; they also decide what tools and processes to use to support their efforts.
As the SANS survey points out, a single human analyst can be successful with the right tools and support from other security teams; however, SANS has seen an increase in the percentage of respondents choosing to have a dedicated team responsible for an entire TI program.
Data processing plays integral part in TI programmes. It includes repeatable tasks such as deduplication of data, data enrichment and data standardisation, along with other more intensive tasks that require more analysis of their own (e.g., reverse engineering malware). Most respondent organisations to the SANS survey say that processing is either a manual or semi-automated process. Deduplication is the most commonly automated process: only 27% of organisations report deduplication of data via manual means.
There is no single benchmark that assesses whether TI makes an effective contribution to cyber defence strategies. Neither are there regulatory compliances that organisations must adhere to. However, some surveys have made attempts to find out from practitioners the extent to which they think TI is worth the effort when it comes to measuring its effectiveness.
Eighty-two percent of survey respondent organisations confirm that they definitely find value in it, with 17% not being sure of how to answer the question, and fewer than 1% of respondents stated that TI ‘did not improve their security and response efforts’. However, only 4% of the SANS survey respondents had processes in place to measure TI effectiveness.
But at its most successful, TI’s value quotient extends to business owners further down the corporate hierarchy. ‘With cyber security at the top of the agenda in many boardrooms, organisations require access to bespoke strategic insights that will inform [enterprise] leaders of the most salient threats their organisation faces,’ reports EY’s briefing paper, How Do You Find the Criminals Before They Commit the Cybercrime? (2019). TI can empower stakeholders, the paper suggests, ‘with an informed perspective on how cyber threats are relevant to their areas of responsibility’.
Indeed, EY suggests that CTI will help to enable organisations to leverage next-generation security concepts, such as Modelling and Active Defence, working in concert with advanced countermeasure operations. The aim will be to develop repeatable processes that are effective for all organisations in transitioning from a reactive security posture to a proactive approach. Organisations will better appreciate the need to understand their own business environment at a much deeper level in order to achieve this.