Ask someone what “cyber threat intelligence” is and they will probably point you in the direction of a shiny piece of software that costs a lot of money. Ask them what it does, and they’ll likely tell you that it searches the dark web, provides real time threat information, and helps prevent incidents before they happen. It all sounds really impressive – and in many ways it is – but, ask that same person what they are trying to achieve with their threat intelligence programme, or even how they measure its success, and the crickets will start to chirp.
This would not be their fault. The landscape of cyber threat intelligence is confused right now, and it is exceedingly difficult to cut through the noise and work out how to add value to your cyber security initiatives. Part of the reason for this, is that the industry seems to have prioritised selling flashy subscriptions over helping organisations identify and understand their intelligence objectives.
Lessons from World War II
It’s often useful to remember that when we think about modern cyber security, we really only have the last twenty years to look back on. And life functioned quite well long before computers were even an abstract concept. Because of this, more or less everything we do in cyber security has been borrowed from techniques and practices society has been developing for millennia.
When it comes specifically to discussions of cyber threat intelligence, consider the rapid developments achieved in signals intelligence during World War II. This was an environment of major technological change facilitated in large part by the use of radio, which accomplished far more than simply being used as a tool for communication. It led to the development of Radio Detection And Ranging (RADAR) and was even used as a navigational aid. Its use revolutionised warfare and this can be observed most powerfully through the intelligence and counter-intelligence operations that spanned across the war effort, all revolving around the use of radio.
For instance, using two directional antennas you can quite trivially locate the source of a broadcast, so even if you couldn’t understand what someone was saying over the broadcast (due to their use of codes or ciphers), you could still identify where someone was saying it from. That is incredibly useful if part of what you want to know is where armies are and how they’re moving around a territory.
One of the major differences, however, between the signal intelligence of WWII and the cyber threat intelligence of today is territory. When you’re interacting with tangible physical threats it’s generally easier to understand if an identified entity poses a risk or not. If they are shooting at you or crossing territorial lines, then they likely don’t have your best interests at heart. The rules of engagement are clear and well understood.
On the surface of it, we don’t have this luxury in the cyber world. It is borderless and abstract. However, just like we are able to analyse a seemingly random collection of radio waves and identify a threat based upon their source and location, we also routinely use technical information to attribute cyber threat actors to a country using IP addresses, the timing of their activities, and even the tactics, techniques, and procedures unique to a particular country or known group. They may not align strictly to modern geopolitical boundaries and territories, but the theory is identical and it relies on an understanding of territory; you need to understand what you’re protecting and where the attacks might be coming from before you can reap the value of any threat intelligence.
Drop the buzzwords
So, how can this idea help us in the here and now? Here is the trick: forget about the fancy technology for a moment, drop the buzzwords – don’t worry about the dark web or artificial intelligence or blockchain – let’s start by calling “cyber threat intelligence” what it really is: intelligence.
“You need to understand what you’re protecting and where the attacks might be coming from before you can reap the value of any threat intelligence.”
As a general subject area, often the objective of intelligence is to help answer the following questions:
- How do I know if someone is doing something I do not like?
- What is the most effective action I can take to minimise the impact of someone doing something I do not like?
- What happened, why, and how?
Now, perhaps unlike traditional intelligence areas, companies in the cyber world are swarmed with data from telemetry systems, user behaviours, technical analyses, vulnerability databases, and technical news bulletins. They have too much information, and, seeking to capitalise on this data asset, cyber teams are typically requested to “derive intelligence” from this bulk of raw information.
It’s a big job, and there’s a significant risk that you may not realise a return on your investment spent doing it. We’ve witnessed first-hand, companies undertaking bold initiatives to collect and analyse vast datasets only to be encumbered by the volume of manual work required to shape it into something usable.
So, rather than trying to pre-emptively mine your data for nuggets of truth you suspect exist, try prospecting the territory first and work out beforehand what decisions you would like to be data-driven within your organisation.
Integrating threat intelligence into the decision-making process
Day to day, any manager or executive will be faced with a multitude of decisions. These decisions can typically be divided into the following categories:
1. Operational decisions
These are made daily to ensure that things work as expected and any faults are quickly identified and remediated. An example might be to block an application that is demonstrating suspicious behaviour similar to a known malware type.
2. Tactical decisions
These are made less frequently and often have a medium impact, such as a decision to protect your external perimeter by prohibiting the use of Remote Desktop Protocol (RDP) over the internet (a common cause of breaches).
3. Strategic decisions
These are made rarely and have long-term impacts, such as a decision to migrate all business services onto Cloud infrastructure.
Each of these decisions have deep relevance to cyber security, and must be informed by asking and answering questions. The table below details some examples of the questions we should be asking before making a decision. How we answer these questions is the process of generating intelligence.
Block a potentially malicious application
Prohibit the organisation’s use of RDP
Migrate business services into the Cloud
Answering each of these questions requires access to sources of information. At the operational level, these sources usually include systems such as:
- Event and audit data from your devices
- Network metadata
- Alerts from security products, such as your anti-malware systems
- Telemetry data from your external perimeter
- Open source information
- Internal work products and expertise
The first challenge of any organisation is always to collect and capture meaningful information from these sources – think asset management (you cannot capture what you don’t know about!) and central log databases. Then, they must structure these queries in ways that align to the questions they will naturally ask when making operational decisions. This can be done to great effect by simply workshopping the decisions you may be required to make and filling them in, as with the table above.
However, as we move further towards tactical and strategic decisions, our focus shifts towards assessing trends across various data sources, and then supplementing this with industry specific knowledge – such as changes or developments in the regulatory, legal, and commercial environments. Filling this knowledge gap requires talking to people and understanding where your intelligence sits against your industry peers and competitors.
This is one of the toughest challenges with intelligence, and it is often the bit that many organisations fail to get right – not least of all because everyone is scared of sharing information that may be sensitive, or used for malicious effect, or somehow fall afoul of legal or regulatory constraints. These issues are best navigated in the same way as with operational issues – map out what decisions you would like to make, figure out what information you need to reach those decisions, and then detail a plan for how you will identify and collect the information you require.
Back to basics
Initiatives such as this are not something you can purchase as-a-service through an intelligence vendor. They require you to develop and maintain relationships and think carefully about the value of intelligence to your organisation. This is why, at the end of the day, we encourage the organisations we work with to get back to basics, think about what you want to accomplish, and remember… we are all very much still at war. The same intelligence principles remain, it’s just a different kind of battlefield.