Threat
intelligence is
quickly becoming a core element of risk management for many enterprises.
To truly
understand risk, though, the enterprise must grasp and have the capability to
handle emerging information security threats to its environment. Other areas of
risk — financial risk, operational risk, geopolitical risk, risk of natural
disasters — have been part of organizations’ risk management plans since time
immemorial; it’s only these last few years that information security has
bubbled to the top, and now companies are starting to put weight behind
security threat intelligence programs.
Putting a
team in place to manage threat intelligence, however, isn’t as easy as other,
more established areas of information security. First, it’s newer, and second,
organizations might not yet have the right skills and tools in-house. With that in
mind, we’ve identified four simple rules that will help organizations build and
maintain a successful threat intelligence team.
( The
rules are simple, but we do realize that implementation is not!)
Tailor Your Talent
It goes
without saying that any team — threat intelligence or otherwise — is run by
people, so hiring the right people with the right skills is critical. In some
cases organizations can groom threat intelligence staff from within, from
security operation center (SOC) teams to incident responders. Central skills
like log management, networking expertise, and technical research (scouring
through blogs, pastes, code, and forums) often come after years of professional
information security experience.
Certain
parts of threat analysis, however, necessitate distinct and practiced skill sets.
Intelligence analysis, correlating and making predictions about threats based
on (sometimes seemingly disparate) data, requires highly developed research and
analytical skills and pattern recognition.
When
building or adding to your threat intelligence team, especially concerning
external hires, personalities matter.
Existing
teams might feel threatened by new staff who appear to be “taking over” roles
and responsibilities. Disgruntled employees are not productive employees. Thus,
when forming or adding to the threat intelligence team, pay close attention to
the “soft skills” of candidates.
Make sure
that teammates can not only all “play nicely in the sandbox,” but that you, as
a manager, are communicating frequently, clearly, and honestly about expectations.
The interaction and workflow between teams should be pre-planned, and data
sharing should facilitate easy integration for the teams responsible for making
security verdicts.
Architect Your Infrastructure
Threat
intelligence vendors provide strategic intelligence,
but organizations should consider building in-house proprietary capabilities
that deliver consistent, relevant, and actionable threat data.
Proprietary
threat intelligence platforms (TIPs) have the advantage of being tailored to
the organization’s specific needs, and often come with a smaller price tag than
commercial, off-the-shelf solutions. These custom-engineered solutions should
integrate with external vendor systems to automatically collect, store,
process, and correlate external data with internal telemetry such as security
logs, DNS logs, Web proxy logs, Netflow, and IDS/IPS.
Of course,
building powerful proprietary capabilities requires an experienced data architect.
This
individual is responsible for designing fast and nimble data structures with
which external tools integrate seamlessly and bi-directionally. The data
architect should understand not only the technical needs of the organization,
but he or she should be involved in a continuous two-way feedback loop with the
SOC, vulnerability management, incident response, project management,
customer-facing fraud (where applicable), and red teams. This collaborative
process facilitates control changes and allows the architect to deliver threat
data in a format and on a timeline appropriate for each group.
Notably,
threat analysts should never spend time manually processing operational data,
and the architect fills that important role of providing the data upon which
the analyst draws conclusions that ultimately decrease strategic business risk.
Enable Business Profitability
The goal of
every threat intelligence program should be to find emerging threats before
they impact the business. Reducing the number of direct threats drives down
risk, which in turn increases profitability. Threat intelligence teams must
therefore know what the business identifies as levers of profitability in order
to prioritize the identification and dissection of threat events and sources.
At the
center of profitability are the business’s strategic assets (customers,
employees, infrastructure, applications, vendors). Protecting strategic assets
is priority number one, and defensive controls need to be managed as threats
emerge.
To ensure
protection for key assets, threat analysts must be able to examine the larger
threat picture and identify such things as general industry threats, trends,
attacker TTPs (tactics, techniques, and procedures), and commodity malware.
While an attack on one industry organization, for instance, might not result in
a direct threat to your own organization, knowing that several enterprises have
been been victims of a similar type of attack could indicate the need for
hardened internal controls.
The ability
to see the larger trends and drill down to direct threats against strategic
assets means the threat intelligence team must understand what data it has
available internally and what data it needs to source. Information gathering
for an unknown purpose other than vague future applicability is a waste of
resources, so set your sights on the information directly tied to the business
and its levers of profitability.
Communicate Continuously
Enabling
business profitability requires an understanding of the business’s goals and
roadmap.
To
effectively set the roadmap, the executive layer also needs insight into
current and future threats. If, for example, the business wants to acquire a
partner but the partner is currently being targeted by hacktivist groups for
what they deem unfair business practices, the executive team should have that
intelligence before determining a market valuation and extending an offer.
During a vendor evaluation, as another example, it is important to know if
industry-specific malware, like BlackEnergy or Zeus, is emerging. Aligning
one’s business with a risky proposition is not a decision to be taken lightly.
Executives
need to hear from the threat intelligence team how and why some of those
threats translate to risk, and then learn if and how the risk of those threats
can be mitigated. Organizational threats will always exist, and it’s up to the
business to decide its risk tolerance. Threat teams can aid the process by
keeping executives informed but not spreading FUD (fear, uncertainty, and doubt).
Delivering the message should be approached in a thoughtful, practical manner;
do not overwhelm executives with technical details they neither care about nor
understand. Their eyes are on the bottom line, and threat intelligence should
be provided that supports moving in an upwards trajectory.
Conclusion
With these
four pillars in mind, organizations can run an effective Threat Intelligence Team which contributes to the success of the business. People
and tools are important parts of the process, but equally important are
cross-functional collaboration and communication.
Thanks for posting. Its true that a threat intelligence team has a lot to do with tailoring their TIP to the organization. However, im a bit leery about the advice to building your own platform rather than external vendors. Often, organizations will not have the technical know how to do such a thing and when they do, it will most definitely not be of the quality from external vendors. These are just my thoughts on the matter. Very interesting article.
ReplyDelete-Brett
Thanks for posting. Its true that a threat intelligence team has a lot to do with tailoring their TIP to the organization. However, im a bit leery about the advice to building your own platform rather than external vendors. Often, organizations will not have the technical know how to do such a thing and when they do, it will most definitely not be of the quality from external vendors. These are just my thoughts on the matter. Very interesting article.
ReplyDelete-Brett