To remain in ignorance of the enemy’s condition simply because one grudges the outlay of a hundred ounces of silver…is the height of inhumanity. Thus what enables the wise sovereign and the good general to strike and conquer…is foreknowledge. – excerpt from Sun Tzu’s Art of War
Cyber Threat Intelligence (CTI), simply put, is timely, accurate and actionable threat, vulnerability and incident information that highlight indicators of compromise to the consumer. The objective of a CTI strategy should be to improve your overall cyber security posture through situational awareness of, and targeted response to, security threats including: malware, insider threat, espionage, hacktivism, cybercrime and other emerging threats.
What Challenges Do Organizations Face With CTI?
On paper, most chief information security officers (CISOs) understand the need for a CTI strategy. In practice however, real-world challenges exist with implementing such a strategy. Frequently asked questions include:
- How do I select the best threat intelligence vendors for my organization? As simple as it sounds, the answer depends on your organization’s threat landscape. Working out your key threat actors (e.g., internal threats vs. nation-states) and threat vectors beforehand will point you towards the type of CTI feeds you need. Before purchasing, challenge vendors on the breadth, depth and industry relevance of their intelligence feeds.
- How do I make sense of CTI without drowning in a sea of data? With the volume of information available from threat intelligence sources, including open source intelligence (OSINT), vendors, and public and private sharing platforms, employing the use of big data analytics and visualization techniques is expedient.
- Do we have the right skills in-house to analyse all those data? Organizations often make the mistake of thinking that CTI is only needed at the technical level. In reality, the right mix of CTI skills should include both technical (e.g., SOC analysts responsible for tactical security incident response) and nontechnical skills (i.e., analysts who understand business priorities and are able to use CTI for strategic risk management).
Below is a summary of some best practices around CTI which auditors and security executives can use as a conversation starter.
- Have a documented risk-based CTI strategy—Understand your cyber threat landscape and determine what CTI feeds you need on that basis. Additionally, document how CTI will be obtained, how frequently it will be collected, who will consume it and what they are expected to do with it.
- Establish communication channels between CTI and business intelligence functions—Do not lose sight of the operating environment when collecting and analyzing threat intelligence. External business factors could provide additional insight into cyber threats and could help shape your CTI strategy.
- Expect to pay for good threat intelligence—Paraphrasing the words of Sun Tzu, when winning matters to you, “do not begrudge the outlay of a hundred ounces of silver for foreknowledge about your enemy.”
- Have a management-approved process for sharing your intelligence with peers, regulators, industry groups and law enforcement—When it comes to CTI, the growing refrain is “one for all and all for one.” No one is an island these days.
- You cannot buy institutional knowledge—The best CTI resources are often those who already understand how your business works and who can bring that knowledge to bear on the analysis of CTI. Consider upskilling internal resources before hiring externally.
- Don’t collect threat intelligence for the sake of collecting it—To get the best answers from CTI, we must first ask the right questions of the data. Establishing CTI requirements upfront and anticipating changes to those requirements are important aspects of any strategy.
- Don’t expect to make sense of it all immediately—Achieving the right balance between collection, analysis and delivery of actionable intelligence will take time.
- Don’t forget that your third-party IT suppliers complement your CTI strategy—Every technology provider you use is part of your CTI strategy.
In a recent global survey of security executives,1 36% of respondents stated that they did not have a threat intelligence program, with a further 30% only having an informal approach, while only 5% said that their organization had achieved an advanced threat intelligence function. Having a clear CTI strategy could improve these stats and help organizations improve their anticipation and response to threats.
Editor’s note: October is Cyber Security Awareness Month in many countries around the world. ISACA is a 2016 Champion sponsor organization of the National Cyber Security Alliance’s (NCSA) National Cyber Security Awareness Month. For more information click here.
1 EY, “2015 Global Information Security Survey (GISS),” www.ey.com/GL/en/Services/Advisory/ey-global-information-security-survey-2015-1
Omo Osagiede, Director and Independent Security Consultant, Borderless-I Consulting Limited
[ISACA Now Blog]