Good intelligence is key to defending government agencies against cyber security threats. It’s only natural that agency leaders are interested in establishing cyber threat intelligence programs. However, an effective program depends on knowing what it means to have ‘good intelligence’ in the first place.
One approach is to distinguish between data and intelligence. Agencies, particularly nowadays, have access to tremendous amounts of data. They also have access to cyber threat indicators through the Department of Homeland Security’s Automated Indicator Sharing capability (DHS-AIS) and other sources.
But not all of that data is meaningful. The data requires analyses that generate insights. In turn, those insights become intelligence. Good intelligence is characterized by insights that are useful, timely and accurate.
Effective cyber threat intelligence programs generate useful, timely and accurate insights to help leadership manage the agency’s overall risk. Here are 4 essential steps to building a program that allows that to happen:
What’s at Stake?
An effective cyber threat intelligence program can only take shape after agencies identify what’s at stake. First, understand what’s being protected. What would a threat actor want to steal or destroy? For some agencies, it’s credit card data. For others, it’s personnel files, medical records or intellectual property. And for others it’s a combination of data assets.
Having a grasp on what data is most valuable, along with the consequences if that data is breached or destroyed, enables agencies and their leaders to appropriately define their risks.
Identify Threat Actors
Identifying the data at risk simplifies the problem of categorizing potential threat actors and their means of attack. In other words, knowing what data someone might want to come after leads to insights about who might come after that data.
Different threat actors with different aims deploy different tools and different tactics, techniques and procedures (TTPs) to breach organizations and compromise information. Once agencies have outlined what’s at stake and the consequences of a breach, this is when cyber threat intelligence becomes useful.
Align Intelligence & Risk Management
Cyber threat intelligence is more effective for agencies when it’s focused on the most likely threat actors and their likely means of attack. Agencies can’t protect everything from everyone. From a leadership perspective, the goal is strategic risk management instead. Ideally, cyber threat intelligence enables agencies to combat more threats and the most potentially devastating threats with the same resources.
Cyber threat intelligence programs support this goal best when they’re focused on protecting data that needs protecting the most, and protecting it in ways that anticipate the tools and techniques threat actors will use to attack.
An agency overwhelmed with activity might use intelligence to prioritize threats with the greatest potential impacts to their operations. While a commodity criminal operation could cause a security organization a lot of grief, it may be a distraction when compared to another more virulent nation-state threat. For example, one financial organization we know is taking proactive steps to prepare for an Iranian threat, given recent geopolitical developments. The decision to focus resources on this threat is based on the historic risk posed by Iranian threat actors and the steps that are being taken are guided by specific tactical and operational intelligence on the actors’ TTPs.
Drill Into Operations
Strategic risk management, when it’s informed by cyber threat intelligence, extends from the executive offices down to the operational level. In fact, the function and necessity of good cyber threat intelligence is to facilitate conversations that can span from tactical to strategic.
Knowing which threats are critical at the operational level allows agencies to make decisions about how to deploy cyber operations, tools and people to align against those threats.
When things are working properly and the cyber threat intelligence is deep and current (up-to-date), agencies can plug their indicators and TTPs into their sensors and review the parts of their systems where threat actors are going to operate.
Ultimately, good cyber threat intelligence flows to the very front line, so security personnel have the data and direction they need to neutralize threat actors who are most concerning to the agency. The best path to achieving this potential is to define organizational goals around cyber threat intelligence.
Specifically, agencies should start by listing stakeholders in the organization that are relevant to cyber threat intelligence. In most agencies, that includes the Secretary or board of directors, down to the SOC and CERT and incident response teams.
After stakeholders have been identified, the next step is to gather their requirements, to find out what they want to achieve, what they want to come out of a cyber threat intelligence program. That information should be analyzed against the threat, at which point agencies can review their current sources of raw intelligence and identify gaps.
At this point, they can also determine which of those sources are machine readable, which are easy to integrate and automate, and where humans will still need to act.
This type of systematic review, not just on tools but on human resources, can lead to a lower risk profile and greater efficiency as your entire team focuses on the most valuable aspects of the cyber defense mission.
Tom Topping was recently interviewed by Federal News Radio as part of Carahsoft’s “Innovation in Government” series. Listen to the audio and learn more about cyber threat intelligence. For more information about cyber risk assessment and incident response tools that can help manage cyber security operations, visit www.fireeye.com.