Welcome to the second installment of our blog series in which we deep dive into threat intelligence: what it means and how to approach it depending on the needs and resources of your organisation.
In Part 1, Explaining the Issue, we looked back at the history of threat intelligence, up until the present when political, military and business threats most frequently come from the internet, calling for cyber threat intelligence or CTI.
In Part 2, we’re examining a simple question: why is CTI important in today’s cybersecurity landscape? There are two main umbrellas under which we’ll explore this question: the area of defence and the area of confidence.
Defence as a threat intelligence driver
Threat intelligence is all about action. What action will you take to respond to the threats you’re getting in your environment? Getting an indicator of compromise about, for example, a suspicious or threatening IP address will need to be actioned in order to be doing real threat intelligence.
Types of security controls
In general, there are three types of primary controls you can use to turn data into action for threat intelligence purposes.
Preventative control. This control could involve taking that known bad IP address and loading it into your security apparatus to stop any bad action before it happens. That means nobody in your environment would be able to access that IP address while it’s in your security apparatus.
Detective control. In this control, for example, you’re letting that bad IP address through because you aren’t sure of the quality of intelligence you possess in your systems, or because you know that IP address is only going to be bad for a short period of time.
When organisations put in this type of control, they monitor the bad IP address and manage the outcomes of this intelligence. It’s all about the ability to react—good, bad or indifferent.
Administrative control. These are more strategic and operational controls, and often aren’t directly technical. It can be as simple as hearing, for example, that an adversarial foreign
government entity is dropping USB sticks all around your company’s parking lot and issuing a directive asking people not to put them in their laptops.
Threat intelligence is part of the groundwork for the control implementations you need to actually protect your environment, and that’s why it’s a key component of any defensive strategy.
Confidence as a threat intelligence driver
As a Chief Information Security Officer (CISO), a lot of security-related questions you’ll get from your CEO will be due to something they saw in the news. There might be a high-profile breach, a new strain of malware out there wreaking havoc on networks worldwide, or some other cyber catastrophe. And that inevitably leads to the question: “Is this going to be a problem for us?”
And if you don’t have a good answer, the next question might be: “What did I hire you for?”
These executives want confidence in the security program they’re paying for and to make sure you’re taking an adequate view of the risk to the business. They want you to have a finger on the pulse of the cyber threats that could impact their bottom line. They’re trusting you to do this and if you aren’t, they may rethink whether you’re the right person for the job.
In some cases, you may need what I call executive eye candy to show what’s going on. This is data that may come out in different reports that either you or third parties generate showing different threats, but truthfully these don’t have value to be placed within preventative or detective controls. It could have a place in administrative controls but that’s a stretch.
It’s more about driving confidence in your program and the abilities of you and your staff members to keep up with adaptive threats.
Defence and confidence together for threat intelligence
So, what’s the right blend for your organisation?
If you don’t have a mechanism to feed threat intelligence into your security gear, then most of what you do will be confidence-based, because you’ll need an answer the next time your CEO sees something on the news about the latest ransomware strain.
Mature programs have a blend of defence and confidence tactics because they’ve ingrained those security practices into their organisation. That’s the place you want to be, and that’s why it’s important to build a threat intelligence program. You simply can’t afford to be caught outby either the attacks you could see or the questions you could get from higher-ups.
So now that we’ve explored why having a program is important, it’s natural now to ask: when is the right time to implement a CTI program? We’ll look at that in Part 3 of this series. Stay tuned.