27 Feb 4 vital characteristics of effective threat intelligence in OT/ICS environments
Omar Al Barghouthi, Regional Director, Middle East, Dragos, looks at CART principles for improving the effectiveness of threat intelligence.
GCC governments have all embarked on national programs to diversify their economies, and heavy industry is intended to play a major role in those stories. But those responsible for the machinery of these enterprises are anxious, following global headlines about cyberattacks on critical infrastructure.
There are many challenges in delivering robust OT/ICS security, such as the rarity of comprehensive skillsets and the proprietary nature of the assets to be protected. Gaining access to Complete, Accurate, Relevant, Timely (CART) threat intelligence, can provide valuable focus for security investments, reduce adversary dwell times, and speed up post-incident recovery. By contrast, non-CART intelligence can increase risk, waste staff time with false positives and lead to poor security decisions.
While threat intelligence for IT environments is becoming more mature, ICS/OT stakeholders do not have the luxury of porting it over to their environments, as IT and OT face very different threat landscapes. OT defenders also must address the realities of different risk frameworks, and the potentially more serious consequences of cyber incidents in their domain.
To ensure OT threat intelligence meets the required standards, we need to look at the providers of the data and assess them periodically against a set of formal criteria. CART itself is useful for this purpose.
Does the threat intelligence correlate across the entire threat spectrum and incorporate sufficient domain context? Data that is complete allows security analysts to quickly establish the who, what, when, and where of a scenario and plainly see patterns that span broad threat spectrums, as opposed to single exploitations that strike a single victim.
Providers should answer questions about if and how they verify their intelligence. What are the corroborating sources they use and is their intelligence updated when new relevant information becomes available? Where conclusions are drawn, how certain are the results? Is alternate hypothesis available to the customer?
In cybersecurity, perfectly accurate knowledge tends to be well known and may not be as timely, therefore providing little additional value to security analysts. On the other hand, intelligence that indulges in too much speculation is of little use and can do more harm than good, a balance must be drawn to ensure the highest quality of information.
Intelligence focused on IT threats lacks relevance in an OT environment. Information on a strain of malware that targets the infrastructure of one industry may not apply to another industry. Providers of threat intelligence must be transparent on what their methodologies are and whether they can identify threats that affect a particular customer’s organisation. It’s an advantage if the threat-intelligence provider has experience with the customer’s industry, it is important for them to demonstrate a clear reporting structure in which the customer can submit requirements and provide feedback to support more relevant intelligence. Relevant intelligence should be easy to find and clear enough as to enable effective action.
Rapid delivery of intelligence is often vital to establish its value. It is important to know the lag time between the discovery of a threat and customer notification and whether disclosures might sometimes be delayed to allow the gathering of further data. Timeliness is a critical element in the management of intelligence.
But this does not mean that intelligence received after an incident has occurred is worthless. In fact, timely post-event intelligence is important to ongoing incident response and risk management.
Organisations operating in the OT/ICS space should always be looking to improve the efficacy of their threat intelligence based on CART principles.
As with all such engagements, the value of the partnership with a threat-intelligence provider can only be seen through perpetual evaluation. If they helped create a safer environment, then they should remain in place. If not, it might be time to find another source of intel.