The concept of threat intelligence has been around for centuries.
Its concepts have largely become popularized by the works of Sun Tzu. The
"Art of War" is a philosophical compilation of strategies to have
positive outcomes when facing an adversary. This adversary can be engaged on a
variety of battlefields where there are competitors with conflicting interests
including playing fields and boardrooms. The cyber domain is the most modern
implementation of a battlefield. One in which your adversaries are largely
nameless and faceless. Your adversaries have a wide breadth of skills and the
threats they pose to your environment are dynamic by nature and constantly
shifting. This is a challenge for one of Sun Tzu's most principle mandates to
know your enemy for positive results.
The application of threat intelligence to the cyber domain is
integral to providing deeper insights into your adversaries capabilities and
intent.
Gill and Phythian defined intelligence in the book Intelligence
in an Insecure World as:
[an] umbrella term referring to the range of activities – from
planning and information collection to the analysis and dissemination –
conducted in secret and aimed at maintaining or enhancing relative security by
providing forewarning of threats or potential threats in a manner that allows
for the timely implementation of a preventive policy or strategy, including,
where deemed desirable, covert activities.
Application of Threat Intelligence to your cyber defense enables
the shift from a reactionary mindset to a more mature targeted approach. This
approach allows defenders to put in place protection mechanisms that takes into
account the context of your unique environment. While others may be in a
hysteria due to a newly released exploit, you know that you already have
controls in place to mitigate any attack attempt. No longer are you
always in the position of being behind the curve in an attack. You are able to
predict when an attack can occur and the methods that will be utilized. Putting
you in a better position for positive outcomes because intelligence allowed you
to know your enemy.
Cyber threat intelligence is just the application of the threat
intelligence cycle that has been used throughout history to the cyber domain. Below
is a diagram of the cycle. It is designed to be recursive in nature to depict
that it is recursive and each phase supports the others. Integral to the entire
process is the mission. Each phase is driven by making sure it adheres to the
mission is. It allows the intelligence team to focus on the subject areas that
are of critical importance to the organization. That is why it is key to make
sure that the mission is clear and disseminated to all of those that are
involved in threat intelligence.
Princeton university has a good example of a mission statement and
has made it public to make sure everyone knows and understands its directive. The mission is
to make information security programmatic and cultural on
campus in order to support the University in its mission in teaching
and research. It’s clear and concise and they have defined specific activities
that are in place to support that mission statement.
That mission statement sets the tone for the very first phase of
the lifecycle, Planning and Direction. It is the principle input into what
drives the direction of the program. The initial phase outlines the goals and requirements
of the threat intelligence program. The contributions that threat intelligence is
meant to provide to the organization is defined here. Other inputs include
organizational policy makers and feedback from the intelligence dissemination
phase. Planning for developing metrics around and monitoring for continuous
improvement should be a key component of the initial phase. This direction is
then passed to the collections phase.
The collections phase carries out the requirements mandated during
the planning phase. This phase creates the systems necessary to collect the
data needed to generate intelligence. The sources of this data can be both
internal and external to your organization. The decisions made here determine
how well the threat intelligence team is able to meet the mandates established
by the mission.
Raw
data is useless without processing and analysis. The processing phase is designed
to convert that raw data to present it into a structured format that allows for
efficient analysis. The collection phase gathers from a variety of sources that
is not structured in a universal format. It will also filter data that is
redundant or irrelevant to your operations.
The Analysis
and production phase is where the correlation of structured, collected data occurs.
This phase builds the narrative associated with threat behaviors. Data across
all of the collected sources is now analyzed to develop a single source, event-oriented
report. This report highlights the insights that were derived by the insights of
the analysts.
The
report is then disseminated to those that consume the threat intelligence.
Consumers of threat intelligence operate throughout all levels of the
organization. They are the decision makers as well as the implementors.
Intelligence could discover information about a prolonged campaign targeting your
organization, or it could be a list of IPs that should be blocked by your
firewall. Each possibility would drive different activities that are designed
to protect your organization.
The phase
that is implicitly defined by the diagram is feedback. Each phase should provide
feedback for the phase prior to it. Processing and exploitation should inform
the collection team if any additional data would be helpful in processing the
data. Dissemination should inform the analyst which report formats are most helpful
in facilitating decision making. There should be a continuous dialog between
the phases to make sure requirements are being met. This allows for adjustments
throughout the lifecycle.
Next, I'll go over operationalizing Threat Intelligence. The focus will be on small businesses who may not have the resources for a dedicated intelligence team.
Next, I'll go over operationalizing Threat Intelligence. The focus will be on small businesses who may not have the resources for a dedicated intelligence team.
References:
Liska, A., & Gallo, T.
(2015). Building an
intelligence-led security program.
Amsterdam: Elsevier, Syngress.
Intelligence Cycle and
Process. (n.d.). Retrieved March 24, 2020, from
https://www.e-education.psu.edu/sgam/node/15
No comments:
Post a Comment