Let the sunshine in

“Security has a secret power: threat intelligence,” quipped Dave Ockwell-Jenner, Senior Manager, Security Threat & Operational Risk Management (STORM) at SITA, during MISTI’s recent Threat Intelligence Summit in New Orleans, Louisiana. True enough, if the ability to look into the future exists even somewhat, that ability is reliant upon intelligence, in security’s case, cyber threat intelligence.

Cyber threat intelligence is no longer a luxury restricted exclusively to well-funded enterprises or those included in the nation’s critical infrastructure. In this day and age, all businesses—large or small, private or public, serving local communities or operating globally—should be protecting company and client information from cyber attacks (unless, of course, the company operates entirely without any cyber presence, in which case the company is likely to soon close up shop). What facilitates organizations’ abilities to accomplish this? Cyber threat intelligence.  

Harmony and understanding

Certain advantages accompany working for a multi-national critical infrastructure organization operating in its 67th year; Ockwell-Jenner’s threat intelligence program is more mature than many, but still, he said during his talk, “Blue Team Basics: Threat Intel in the Cyber Attack Lifecycle,” there is much work to be done, especially as it pertains to learning from the original intelligence community: military and government. Military intelligence, Ockwell-Jenner explained, is structured and has been refined over hundreds of years of practice. It is used primarily for operational decision making and to inform policy. And while cyber threat intelligence evolved from the idea of military/government intelligence, as corporations began to understand how the practice could benefit security programs, best practices weren’t transferred and applied. Rather than adopting military-style intelligence and applying it to cyber, said Ockwell-Jenner, corporations decided to lead with an IT security approach.

Cyber threat intelligence, as it exists in most companies today, centers around “blinky boxes, firewalls, IDS, incident response, etcetera,” he said. Security teams are piecing together threat intelligence ad hoc and inventing new processes as we go. What’s more, the security industry’s intelligence reports are not used for strategic decision making, as they are in the military, but instead typically serve as pretty dashboards that help security and/or threat teams justify budget expenditures. “All the things we are good at with military intelligence,” Ockwell-Jenner related, “we seem to have forgotten or dismissed at the corporate level.”

Sympathy and trust abounding

One of the reasons for the “forgetfulness” is that cyber threat intelligence as a practice emerged from an information security need. It’s only recently (in the larger scheme of things) that information security threats have become more abundant and rapid fire than the resources organizations have to defend against them. Security teams saw an opportunity and, in entrepreneurial fashion, began to build programs based on ages-old military intelligence. Security practitioners, however, having the skill sets they have and knowing what they know, turned to the familiar— “blinky boxes,” data feeds, logs, etc.

While there’s no harm in beginning with the familiar, after several years of on-the-job lessons, the explosion of technology vendor offerings, and watching as adversaries get the better of corporations, security and threat teams haven’t moved past “what we know” to “what’s useful and valuable.” As Ockwell-Jenner explained during his talk, it’s the evolution from incident response to proactive mitigation that will be most effective.

No more falsehoods or derisions

Of course security and threat teams have the most honorable of intentions to move in that direction, said Ockwell-Jenner. However, most are stuck collecting only operational and technical threat intelligence. These intelligence types equate to information about active or past attacks against the company or industry and searching for indicators of compromise, things that can be observed by security and operations teams through the SIEM, firewall logs, IDS/IPS, etc. Additional types of information from which companies can benefit, he continued, are strategic and tactical intelligence, high-level information on changing environmental and company-specific risks and attacker tools, techniques, and procedures (TTPs), i.e., who’s doing what to whom and how they’re doing it.

Further, it’s necessary for threat teams to leverage various threat intelligence sources and combine data gleaned with human analysis and intelligence. SITA originally began its program by collecting open source threat intelligence (OSINT), then moved to technical threat intelligence (TECHINT) and signals intelligence (SIGINT) as the threat group grew and matured. Once internal data gathering processes were well-established, SITA partnered with threat intelligence vendors to obtain supplemental sources and resources, ensuring a 360° view of the company’s threat landscape.

Golden living dreams of visions

By looking at threat intelligence from various angles, explained Ockwell-Jenner, security and threat teams can begin to form a program that answers some fundamental questions:

  • What are we defending tactically?
  • Is this informing the security program and policy?
  • Are we updating our board? Is the information we are presenting to the board valuable?
  • Is any of the information we collect useful to others?

Posing these questions first—even before a threat program is established, in some cases—can be a very valuable method of ensuring your eye is on the prize, i.e., everything your threat program does supports the company’s strategic goals: What assets are we protecting? Why? How sensitive is it? What are the business consequences of an unauthorized or malicious user accessing these assets? Does the board agree? Can the information we collect help others become better defenders as well?

And the mind’s true liberation

Of course, threat intelligence programs are much more complicated than what can be covered during an hour-long talk. Boiled down to the most pertinent take away, Ockwell-Jenner advised, “Don’t collect everything just because you can. Collect only what you can use.” Intelligence that informs policy and helps with operational decision making should be the goal of all cyber threat intelligence programs. Move away—if you haven’t already—from reporting on the “blinky boxes” and creating pretty graphs that only tell a portion of the story. Instead, take a holistic view of the organization and move towards collecting and supplying intelligence that allows security and operations teams to act swiftly in the face of true threats.