14 Nov Threat intelligence

The ISF’s Dan Norman looks at how organisations can establish a stream of trustworthy data for effective threat insights.

In turbulent times organisations pine for predictability and stability. Especially today, where organisations are still navigating the covid 19 pandemic, the war in Ukraine and fear of being the next high-profile data breach. Most effective business strategies are underpinned by effective risk management and intelligent insights from multiple sources, enabling business leaders to make pragmatic, informed decisions. However, cyber risk management is arguably one of harder areas of enterprise risk management to manage, as effectively profiling the threat landscape, the likelihood of potential incidents and the impact that incident can have, is incredibly challenging to quantify and even harder to predict what the future will look like… This has led to many organisations seeking ‘Threat Intelligence’ to stay ahead of threats and understand the likelihood of attack so they can proactively manage their exposure. However, the term itself is problematic and is overused by vendors worldwide… so how can organisations cut through the noise and identify the best solutions?

Despite its growing prominence in the security strategies of many organisations, threat intelligence remains a loosely defined subject. The application of threat intelligence is unique to each organisation that invests in the capability as it is not a one-size-fits-all implementation. Different organisational requirements, context of industry and geography, and organisational size are all factors that influence how threat intelligence is developed. In addition, there is a long journey to realise the full value of threat intelligence, meaning it covers a wide range of maturity levels.

To provide clarity, the ISF uses the below definition:

“Threat intelligence is contextualised information about adversarial threats’ past, present and predicted attacks against the organisation, produced through analysis of available data and information, to inform decisions and actions.”

Threat intelligence is not a technical solution that can be acquired by an organisation; it is a hybrid of people, process and technology – data and information gathered from multiple source must be analysed intelligently to give it context and relevance. The distinction in the difference between data, information and intelligence is key:

Data: Discrete facts and statistics gathered as the basis for further analysis.

Information: Comprised of multiple data points that are combined to answer specific questions.

Intelligence: The output of an analysis of data and information that uncovers patterns and provides vital context to inform decision-making.

External platforms and feeds or open-source databases that provide glamorous dashboards and graphs produce data and information – not intelligence.

The distinction between data and information, and intelligence, is that the former can become the latter if it adheres to the core principles of threat intelligence. If it is unable to do so, then it is not threat intelligence. Security practitioners and risk managers must understand what it can, and cannot do, and be conscious of the way in which it can enrich decision making processes. In addition, we must be mindful that intelligence is one facet of a decision-making process, that its role is to provide context and highlight previously unknown factors, and cannot completely replace a robust risk management framework.

Ultimately, threat intelligence should be in place to manage adversarial threats. Having clear definitions of this is key, e.g. ‘an individual, group or state actor who is intent on causing harm to the organisation.’ This could be an extremist group, hacker, nation state, organised criminal group, and many more. Essentially these adversarial threats initiate a threat event, e.g. DDoS, malware, session hijack, etc. Organisations need to know who the actors are, how capable and motivated they are, and understand the tools and tactics they could use to cause harm. As intelligence about an organisations’ threat landscape becomes clearer, and key information about past, present and predicted attacks become enriched, key risks will illuminate.

However, it is important to differentiate between the three different types of threat intelligence: strategic, tactical and operational.

Strategic: defined as predictive, future-looking trend analysis of threats that might target the organisation, aimed at business leaders, c-suite and security strategists.

Tactical: defined as analysing the tactics, techniques and procedures, and vulnerabilities they exploit, aimed at IT and security managers, or security operations centre (SOC) analysts.

Operational: defined as providing evidence of imminent attacks, using alert systems like open source intelligence, human intelligence and signal intelligence, aimed at SOC analysts and incident response teams.

Organisations cannot fall into the trap of investing in so much technology and alert systems that they overwhelm the people defending the company. False alarms, red herrings, false positives, and other errors can become apparent, so having a steady stream of meaningful data, relevant to the organisation is vital.

Threat intelligence must be used to:

• Support the reduction of risk: Through continuous assessment of the threat landscape (e.g. via threat profiling) in which the organisation operates.
• Increase security operations efficiency: By bringing to attention key threats as a matter of urgency and streamlining the SOCs efforts accordingly.
• Educate the board on strategic outlook: By providing an overarching strategic assessment of the threats posed to the organisation, raising awareness of the importance of prioritised investment in the right controls to mitigate information risks.
• Identify previously unknown threat events: By passing relevant information to intelligence teams about previously unknown threat events that have affected the organisation to security and leadership teams, to inform better decision-making.