Avoid These Mistakes in Your Cyber Threat Intelligence Program
Cyber Threat Intelligence has rapidly become a key part of modern day cybersecurity to uncover, detect, and respond faster to threats. CTI has been shown to also help organizations assess and better inform their security investments. Although CTI has emerged as very valuable to many organizations, establishing your own CTI program and being effective is not particularly easy.
Many organizations start off with great intentions and lose their way. The challenges caused can be thought of as failures or missteps. Either way, the mistakes can waste effort, present fragmentation, and ultimately create very real security gaps.
Understanding what not to do is as important as understanding how to develop, implement, and operationalize a CTI program the right way. The following common missteps can greatly hinder your capabilities and may undermine efforts across the organization as a whole to try to prevent as many types of cyberattacks as possible.
When you are collecting data without an objective
The most frequently occurring example of a misstep made by organizations is collecting threat feeds just to collect the feed, because it is free, and it is available. Collecting intelligence data without any structured process also results in a false sense of confidence, while also burdening your team with data overload by collecting intelligence data, often without even having a process in place to even look at or evaluate it.
Threat intelligence should connect back to some business related risk in the final analysis and ultimately through to a specific security objectives to be achieved. An intelligence team can drown in feeds, indicator data, threat reports, etc., that may or may not be relevant to your organization's perspective areas of concern, risks, and threat landscape if there are no objectives to be collecting in support of.
Unfocussed data collection creates far too much noise and hides actual threats. Security teams waste time investigating false positives, following trails of misleading indicators, and trying to decode intelligence that is irrelevant to their environment or industry.
The fix is to define concrete goals before any foundational data collection occurs. Have a clear understanding of which types of threats matter to your organization, which assets require protection, and what decisions are supported by that intelligence. By having a thoughtful perspective before gathering intelligence data, we will ensure that every source of data serves a purpose.
Failure to Prioritize Threats
Not all threats warrant the same level of attention, yet a large number of CTI programs treat every piece of intelligence equally urgent. Checking in with security teams, it quickly becomes apparent how many are overwhelmed by the number of threats and diluted in their response to a real high-risk incident.
Risk-based prioritization or, more accurately, filtering threats is essential to managing the deluge of threat intelligence. Your CTI program should prioritize threats pertinent to your specific industry, technology stack, geography, or business model.
Filter can be made easier through automation, but it is not wholly achievable without human intuition which is required to filter relevant signals from noise. This includes consideration of qualifications such as threat actor capability, the operational feasibility of an attack on your organization, potential business impact, and each data source’s credibility.
Prioritization of data can save security teams valuable resources and significantly shorten turn-around when a substantial critical threat is identified. Teams will spend more time focusing on threats that truly matter rather than reacting to and being led by emerging vulnerabilities or threats.
Disregarding Internal Collaboration
A large number of organizations are running their CTI teams like McDonald's - in isolation - when they could be taking advantage to improve overall security effectiveness. Siloed intelligence work has many downfalls: duplication of effort, missing important context, and not sufficiently supporting the many other security functions.
CTI programs only provide value when the intelligence supports SOC operations, incident management, risk management, and other security functions. Without linking intelligence to SOC operations or incident response, CTI cannot support detection, response, and prevention activities across the organization.
Intelligence should be shared internally across business units so that each team is aware of any threats that may affect their specific operational context. For example, IT teams need intelligence on infrastructure-based attacks while business units simply need to be aware of the threats that exist in regard to their industry.
Effective communication between CTI and other teams allows the faster detection of threats, more efficient incident response, and better security decision-making across the organization. Regular briefings, shared platforms, and joint exercises can all contribute to making connections across these various teams.
Neglecting Context and Analysis
There is a significant difference between raw threat data and actionable intelligence. To the detriment of many programs, threat intelligence does not simply mean aggregating indicators and disseminating them without the additional context necessary to help organizations make informed security decisions.
While “what” and “who” information is useful to threat intelligence programs, overall threat intelligence is valuable because it provides answers to the questions of “who is behind the threat,” “what are they trying to achieve,” “why are they targeting an organization with a profile like yours,” and “how are they executing this operation”.
That relevant information is what gives any discussion about raw data a better chance of turning it into true intelligence and aiding decision-making. Taking action based on incomplete information or assumptions can lead to wasting resources, false positives, and lost threats. Organizations could build unnecessary controls, bypass legitimate threats, or execute an improper response in the event of an incident based on inaccurate intelligence.
Great analysts will continue to be important, even with new automation programs and tools. Analysts are required to assess the credibility of the source, assess relevance of the threat, identify trends, and provide the analysis and context to produce decisions based on data or intelligence.
Not Measuring and Adjusting
Most CTI directorates operate without appropriate metrics for evaluation and can demonstrate value to leadership of the organization. If a program is not measured, there is no way to know if it’s providing value to its objectives or an adequate and return on investment (ROI).
Both periodic and ongoing review of the program can help identify areas for improvement; assess whether intelligence products, are providing effective support for operational security; and determine if resources are invested appropriately in CTI. This should include assessments of operational metrics as well as metric outcomes or strategic objectives.
CTI Programs should be prepared to adjust and adapt if the threat landscape changes because threats, adversarial techniques, threat actors, organizational priorities, and technology changes frequently, and should react accordingly when possible.
Measurement provides a way to direct future investment and improvements by demonstrating what is beneficial, and what is ineffective and needs improvement. Not only does it provide analysis to support resources dedicated to the problem, measurement and analysis helps to continually improve the capability for performing threat intelligence.
Building a More Effective CTI Program
A cyber threat intelligence program is much more than a program that collects threat data; it is a program that takes that data and synthesizes it into acting information to truly protect an organization and to support the organization with making educated security decisions.
Avoiding the mistakes outlined to make sure your CTI program achieves outcomes of increased value to your organization and not simply increased overhead. Program success is dependent on appropriately scoped data collection, appropriate prioritization of threats, the ability to work well within the organization, analysis, and measurement.
The stakes have risen for organizations as adversaries have reached unprecedented levels of sophisticated threats and attacks - requiring even smarter and faster defensive measures.
If your CTI program avoids these common pitfalls, and continuously assess and makes improvements as necessary, your program will be able to successfully anticipate and detect the emerging threat, intervene and stop potential or successful attacks, and provide an appropriate response in incident situations.
About The Author
Contact Caleb Price privately here. Or send an email with ATTN: Caleb Price as the subject to contact@investorshangout.com.
About Investors Hangout
Investors Hangout is a leading online stock forum for financial discussion and learning, offering a wide range of free tools and resources. It draws in traders of all levels, who exchange market knowledge, investigate trading tactics, and keep an eye on industry developments in real time. Featuring financial articles, stock message boards, quotes, charts, company profiles, and live news updates. Through cooperative learning and a wealth of informational resources, it helps users from novices creating their first portfolios to experts honing their techniques. Join Investors Hangout today: https://investorshangout.com/