The consumption, production and usage of cyber threat information and intelligence (CTI) often varies from organisation to organisation. This can derive from a variety of factors, such as: risk appetite, maturity of capability, and resources available. In this blog post I will share some thoughts and considerations from my experiences of implementing a CTI programme and how to effectively operationalise.
One of the most commonly observed drivers for investing in CTI is to provide additional detective/protective capability by harnessing native and bespoke integrations in to the organisation’s security stack: SIEM, firewall infrastructure, endpoint protection etc… Beyond this there is a so much more which can be implemented and developed to attain a greater return on investment, with the goal of ultimately strengthening the security posture of your organisation.
An Intelligence-led assessment can be simply defined as a penetration test with the added value of considering and including relevant CTI in the approach to the delivery and execution. When the required assessment is scoped against the infrastructure or a particular section of the organisation’s environment, the internal CTI function or a preferred outsourced partner (perhaps via an RFI) are tasked with providing attack scenarios which would mimic how a threat actor would target and compromise the assets involved. The actual output would typically take the form of a report on the attack surface involved and how the penetration testers may gain access. The purpose of this is to depict the view from the threat actor’s perspective. To supplement this, research may be compiled on specific threat actors and campaigns of relevance to this undertaking, including the underlying motives. This can help validate the methods used and adds to the realism of the initiative. Subscribing to a good source of strategic and tactical threat intelligence to acquire the narrative around the latest attacker methodologies, tools and tactics can really help build these reports. Significantly, if desired, the assessment can be undertaken without prior notice to the SOC/Blue Team. This can provide a view on response and gaps within the detective capability. It is advised that certain levels of Risk/Incident Management are informed, to intercept escalations which otherwise would go to Senior Management/C-level.
Generally speaking, C-level and Board members are becoming increasingly involved in understanding the state of their respective organisation’s cyber security posture. CTI Analysts are commonly tasked with composing internal ‘Threat Advisories/Briefs’ to the CISO or the senior leadership team, detailing an emerging relevant threat or campaign and the position of the organisation, and response (if applicable). As above, robust processes for CTI consumption are key to actively being notified on new threats or exposures and receiving adequate detail on the specifics. Having access to detailed Threat Bulletins from the various intelligence sources which the organisation subscribes to in one central platform significantly reduces the overhead on the CTI Analyst needing to draft and formulate these write-ups.
Fundamentally, the CTI function is a pivotal cog in the wider effort of reducing cyber risk to an organisation. CTI should inform decisions and actions which should correlate to improving the security posture of the organisation and provide greater defensive agility. One way to map this is through the use of the Mitre ATT&CK model. Another approach would be to create your own organisation specific ‘Cyber Threat Attack Trees’, initially documented by Bruce Schneier in 1999.
Through understanding the continually evolving tactics and techniques an adversary could be using to attack and compromise, the CTI function can understand where security optimisations need to be made, or whether there is an apparent gap in detective and/or protective controls. CTI can help with prioritisation and evidence, if it is becoming apparent that certain methods are being used against targets within the organisation’s vertical or region perhaps. For example, the past couple of years have seen the introduction and rise of the kerberoasting technique which can expose credentials. If this is considered a prominent area of weakness then the mitigation steps can be reviewed and progressed internally.
Finally, at the centre of an ‘Intelligence-led’ approach is to share both internally and externally, where appropriate and relevant. Collaborative discussion and research on cyber threats is one of the most powerful methods to develop the CTI discipline. This can take many forms, such as communicating with the internal Incident Response function on the latest industry breach observables, using Social Media to publicise new analysis, and actively participating in an ISAC or Security Interest Group. If your organisation is not connected already then Anomali can help.
Marc Green is an information security professional with a focus on threat intelligence and strategy. Marc has over eight years of experience in information security, predominately spent within financial services.