Cyber security threats are evolving at a rapid rate, which makes it challenging for organizations to keep current with their internal and external threat landscape. In a race to keep pace, organizations often skip building foundational elements in favor of buying applications to enhance their protection measures.
This approach does more harm than good.
Before considering an intelligence proactive defense approach, you must have a clear inventory of what you are protecting and an informed picture of who is targeting your crown jewels. Software alone cannot provide the data needed for this exercise. The primary way to build such situational awareness is to invest in the development of a cyber threat intelligence program.
What is Cyber Threat Intelligence?
Cyber Threat Intelligence (CTI) is a method in which evidence-based knowledge is used to gather raw data about emerging or existing threat actors and threats from various sources. This knowledge includes context, mechanisms, indicators, implications, and actionable data about an existing or emerging threat or vulnerable assets that can be used to exploit an organization’s infrastructure. The objective of collecting CTI data is to keep your organization informed of the risks of advanced persistent and zero-day threats and exploits, and provide the insights needed to strategize how to protect against them. Gathering this intelligence requires the right technology, people, and processes.
Intelligence gained can be used to address four critical questions:
- Who are the adversaries that are attacking us?
- Why are the adversaries targeting our organization and what is their objective?
- How are the adversaries attacking (think technical, tactical, and procedural)?
- How can our organization stop the attack?
Leveraging CTI to identify threat actors and their methods provides you with a clear picture of your threat landscape. Intelligence gained can be used to readily identify delivery mechanisms, indicators of compromise across your infrastructure, potential threat actors, and specific motivators. Creating threat profiles will help immensely when it comes to shaping policies and prioritizing mitigations.
How Do You Gather Cyber Threat Intelligence?
The objective of CTI is to augment traditional cybersecurity measures with context and analysis pertaining to organization-specific cyber threats. CTI needs to be actionable so timely responses can be executed. Detection and attribution details enable organizations to deploy better methods of protection and response, while insights about emerging threats inform infrastructure improvement plans.
Your program needs to address the following five components:
- Threat Landscape Scoping – Define priority intelligence requirements (PIR) and threat categories, and integrate a framework for industry-specific threats.
- Intelligence Sourcing & Prioritization – Identify and prioritize intelligence sources, establish intelligence intake and processing approach, and establish operational processes.
- Data Analysis & Synthesis – Include intelligence analysis and value extraction, integration into the security technology stack, proactive network hunting, and a proactive mitigation model.
- Reporting, Communication, & Dissemination – Establish an enterprise-wide communication campaign, intelligence reporting for awareness and response, and intelligence dissemination according to the organization’s functional needs.
- Refinement & Enrichment – Establish a continuous improvement program with a focus on enriching operational capabilities, improving business value, and justifying the value of the CTI organization.
There are two paths to build this program: 1) invest internally to assign a dedicated team to evaluate threat feeds and create an understanding of the capable threats that could impact the enterprise, or 2) partner with a vendor that provides CTI as a service. The second option is more attractive for organizations combatting resource constraints.
Before investing in a CTI program, develop a list of internal priority intelligence requirements (PIR). This activity will guide your organization to answer important questions and provide the details needed to identify and prioritize critical initiatives.
Lead your team through the initial phase of cyber intel discovery.
Download our PIR Getting Started Guide
PIRs are the structure that defines your organization’s crown jewels, and a foundational step to define your cyber threat intelligence framework. After refining the PIRs and recognizing the threat adversaries as the threat actors specific to your industry, offensive and defensive strategies can be implemented.
Any organization hoping to defend their corporate crown jewels must look beyond traditional perimeter security defenses. Specialized internal defenses with real-time threat assessment capabilities must be built to effectively detect, assess, and mitigate threats as they develop. Cyber threat intelligence is the key to moving from a reactive cyber defense strategy to a proactive approach.