What is Threat Intelligence
To answer this we need to break it down, understand what a threat is and then understand what intelligence is.
Threat – An expression of intent to do harm. In a cyber context simply something that exploits a vulnerability. A threat is not the vulnerability itself; it is whoever takes advantage of that vulnerability.
Intelligence – A Google search tells us Intelligence is ‘The ability to acquire and apply knowledge and skills’ and ‘The collection of information of military or political value’ The keyword here being value. If there is no value-added from the collection then it simply remains just information, it doesn’t get used, has no value to make any decisions from.
So in a nutshell then, ‘Threat Intelligence’ is Information about adversaries (Threat Actors) that is used to make a decision. Therefore, understanding what adversaries are thinking, feeling, and doing is how we would counter their attacks.
What is its purpose
In it’s most simple terms and in an ideal world we want to pre-empt and defend ourselves before attacks can happen, in the real world it is all about understanding your business, who your likely adversaries might be, how they would attack, exfiltrate data and cover their tracks and to defend against those.
Common Pitfalls – This will be the lengthy bit!
No clear strategic goal or roadmap
Trying to embed a Threat intelligence Framework without a clear roadmap and stakeholder support is an exceedingly difficult task, yet this still does happen. Unfortunately, this leads to many frustrations for everyone involved. Misunderstanding and miscommunication are common without a clear strategic goal.
Not having the basics in place
If you do not have a good solid foundation in place, proper patch management, vulnerability identification, Regular Penetration Testing, SIEM, SOC, Policies etc then implementing a Threat intelligence team or framework will be next to useless I’m afraid. It would be like trying to protect a sieve.
Probably the most common issues I have encountered is that there is so much information being collected it is impossible to extract the correct intelligence to make any decisions. More information is not better and will ultimately lead to worse intelligence and the wrong strategic decisions being made.
Not understanding the data
All data collected needs to be analysed in some way before it becomes useful. There are varying different methods of doing this
Again, one of the most common issues is the Threat Intelligence Reports being disseminated to senior management just repeating what is already in the news and known about. This is not intelligence, has no use and is very ineffective. No decisions of any kind can be made from this. An example of this would be a new attack surfacing against Medical Institutes stealing medical records but your business is Financial. Huge disconnect and not relevant. Useful information, but not intelligence for your niche. Park it!
A Threat intelligence report should always be split into Strategic, Tactical & Operational intelligence, written for the appropriate audience and disseminated to the correct teams who can then make the necessary decisions.
Getting the right experience
Always a difficult task to get the right people in situ. However, for something so critical does require a person who has effective experience in dealing with threat intelligence and embedding these functions within organisations. It doesn’t mean to say that internal staff cannot be trained to continue to run the program. If you get this wrong it is just a waste of everyone’s times and money in the end and ultimately offer little to no value.
It does not have to be an overly expensive outlay to embed something effective and deliver benefit, however, budgets need to be thought about. Like most security programmes, little tangible output is seen. It is better not to have anything than a poorly working function.
Not fully understanding the legalities of collecting Threat Intelligence
Fairly straight forward but often overlooked, make sure you are fully compliant with your country’s laws. Each country has it’s own specific acts.
What’s the best way to get started?
A solid strategy and scope will be needed from the outset
Some questions to ask yourself before you take the plunge
- What is the business driver for wanting such a function?
- What is the desired output from such a function?
- What is the long-term strategic goal?
- Do you have sufficient resource and headcount?
- Who in the businesses will consume the intelligence?
Some high-level technical questions
- Can you describe the types of threat actors that would target your company?
- How would you perceive them targeting your company?
- Why would they be targeting your company?
- Do you already have access to any data within your business?
- Do you already have devices that can add/consume Threat Intelligence?
- What type/sources of data would you collect?
- Do you understand your current environment?
- What are the key pieces of information your business would need to make a decision?
- What is the lowest cost solution that could achieve your goals?
- What kind of alerts will help determine if your company is under attack?
Some quick wins to get you started on the journey.
https://misp-project.org/index.html Open Source Threat Intelligence sharing platform. Easy to setup and configure
import as you go
https://github.com/csirtgadgets/ Slightly more advanced but offers you a proven robust method of collecting and analysing numerous data sources in a very fast and powerful data driven way. Can also be the answer to your storage issues -;
Very powerful and fast, supporting different formats
Get the data you need quickly, confidence scores, probability and much more.
How can I measure its success?
A Threat Intelligence function will require constant improvement, some things will work, others won’t, but at some point, there will need to be valid output. Metrics are vital to measuring success. Some simple metrics could be:
- Number of incidents prevented
- Number of attacks stopped
- Number of criminals detected
- Number of indicators seen within/added to the network
- Number of improvement initiatives made
- X number of employees trained
Always ask for feedback to understand if your services have had value, engage often and effectively with all involved stakeholders and teams