Building a Cyber Threat Intelligence Capability from Scratch – Part I
In my first article, I explained what Cyber Threat Intelligence (CTI) was. In my second, I outlined why every business should be utilising CTI to protect their critical assets (both articles are linked below). Now, in this next arc, I am going to explain the general steps you can take to build your very own CTI capability. It is not black magic and if done correctly can be an extremely effective security measure for business resilience. But if done poorly though, can instead be very damaging and counterproductive. So, for those who read my past articles and were like “This does sound like something we need as a business but I have no idea at all on where to begin?” hopefully, this extended explanation will provide a general roadmap you can follow to begin the process.
This first part will outline the general approaches, considerations and types of intelligence you should look to collect to help build an underlying framework for a CTI capability. Later articles will outline how to build a CTI Team dependant on capability maturity and also how to evaluate your own environment to discover the threats against you. To note, some of this work is my own theory mixed with best practice, so hopefully, this guide will provide a useful insight into the discipline of CTI that you can then use to make your own business more resilient to attack.
Starting from Scratch
It’s a dreary Monday morning, you’ve just got into work and there is a weird vibe and people are much more energetic than usual. People are running around with worried looks on their faces and no one is making eye contact. This is strange you think. You have not had any communication from anyone over the weekend, which isn’t unusual but as you get deeper into the building you realise something is not right. There is shouting and banging and suddenly as you approach the main boardroom, Pete your friend and company CISO is marching out, red-faced and heading for the exit. Before you can gather your senses, you are dragged into the boardroom to learn you’re about to have a pretty rubbish start to your week.
Here is the situation in a nutshell. Pete has been fired as the company suffered a major data breach over the weekend and it has come to light that the company’s security measures were simply not up to the job to detect, protect or even respond to the threat. The board demands visibility on all future attacks and a capability that will allow them to make better and more timely decisions on the security posture of the business. This is also to include an understanding of where the digital weaknesses lie and how the business can better understand who is attacking them. And guess who is going to deliver this new capability? That’s right it’s Brenda in HR…no, of course not it’s you. So, you head back to your desk with the first task of planning how you can actually accomplish this task. Luckily, you know what you’re doing, well at least you think you do. You’ve been studying a new discipline called CTI.
You know you are starting from scratch, which is both good and bad. You get a clean slate to begin the process with no outstanding red tape or people to curb your efforts, but you have a long road to travel. You know where you want to get to, you have your end goal and you begin to work your way back, analysing the requirements needed over a period of time (e.g. Back Casting analysis) to reach this goal. Maturity levels in CTI can be graded using several frameworks. The one developed by the Sqrrl Team is a good starting point and also the one created by EclecticIQ (https://www.eclecticiq.com/downloads/EclecticIQ-White-Paper-Applying-the-Threat-Intelligence-Maturity-Model-to-your-organization.pdf). You can use these models to place your business against a level of CTI maturity and see what requirements you need to achieve to move up to the next level.
You estimate that you are firmly sat at level 0. There is no real security team at the business, you rely on a third-party IT contractor in the event of IT failures and that is about it. You decide you need to start building an understanding of what the business expects you to do, what you feel the business must protect within its environment and ultimately build a team that can deliver on the capability. It is easy to jump the gun here but first, we need to create a solid grounding for the capability and with that, we need to start with a modern approach to using CTI.
Intelligence-Led Security
Now as you like to keep abreast of the latest developments and frameworks, you know the best approach to incorporating threat intelligence into the business is through an intelligence-led format. This approach, that has long been accepted as best practice and was developed by the Bank of England CBEST programme (https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf), will ensure the business does not defend against too little because you do not understand the threats you face or instead try to defend against all potential threats, which is an unsustainable approach that may also impair the business’s ability to operate effectively.
This approach will ensure you understand the threats that are specific to you and allow you to protect against them. The approach also informs the uptake of intelligence-led cyber security defences and ensures that your business will be tested on your ability to prevent, detect and respond to realistic, contemporary and accurate attacks. It also means you have at the heart of your framework the business risks that are created out of the threats you identify, the vulnerabilities inherent in your digital, physical and personal structure and an understanding of the impact incidents can have on the business. A more thorough explanation can be found at https://www.crest-approved.org/wp-content/uploads/CREST-Cyber-Threat-Intelligence.pdf.
You decide that this is the best approach and now we have our conceptual foundation and our starting point for our new capability and we will revisit this approach in parts II and III. But now we need to understand the types of intelligence we can collect for the benefit of the business in order to progress.
Types of Threat Intelligence
Intelligence is not as simple as just information on threat actors and exploits running wild around cyberspace. It is a mixture of science and art and there are different types of intelligence, that serve different areas of a business. The three types, (arguably four but for simplicity I will stick at three) that we are going to focus on here are outlined below and each delivers a different capability to the business.
Strategic Intelligence:
Is consumed by those typically at board level and is used to make strategically important decisions for the future of the business. It helps strategists understand current risks and to identify further risks of which they are yet unaware. It deals in such high-level concepts as risk and likelihoods, rather than technical aspects and it is used by the board to guide strategic business decisions and to understand the impact of the decisions that are made.
Examples:
- It can help CISOs communicate with top executives and board members about digital risks to the business, the probable actions of adversaries in the future and the return on investments in security.
- It can provide managers with an understanding of actual digital threats to the business (which are different from those hyped by the press) so they can allocate budget and staff to protect the most critical assets and business processes.
Operational Intelligence:
Operational threat intelligence is actionable information on specific incoming attacks and incidents. Ideally, it informs on the nature of an attack, the potential identity and capability of the attacker/s, and gives an indication of when, how and where an attack will take place. For example, it can be used to mitigate attacks by removing attack paths or by hardening services.
Examples:
- It provides situational awareness and context so Incident Response teams can expand their investigations from individual indicators to determine an attackers’ intentions, methods, and targets.
- Allows Incident Response and Forensics teams to quickly remediate the damage done by breaches and prevent additional attacks in the future.
Tactical Intelligence:
Tactical threat intelligence can be one of the most useful forms of intelligence in terms of protecting the organisation. It turns knowledge about threats into concrete detection capabilities. Feed information on indicators of compromise can be directly used to respond to threats (MD5 file hashes, signatures, malicious domain names) into security controls to quickly remediate any threats.
Examples:
- Used to automate the flow of valid information into the SIEM, so they can correlate events with attacks more quickly and accurately.
- Prioritises indicators so analysts can rapidly identify alerts that need to be escalated
- Respond faster and be alerted to incidents in real-time.
By understanding the different types, it will help you shape what information you collect, how you structure your team and provide you with a framework in which you can brief the board on how this capability will benefit different areas of the business. It also shows you have considered all aspects of the intelligence spectrum, you understand the needs of the business and that you understand how the different types of intelligence mutually support one another. For this article, we will leave the different types of intelligence here but to note, we will revisit the concept in later articles, especially when it comes to how to collect these different types of intelligence.
Now we have our foundation and structure, we can add arguably the most important aspect of the capability. The team. Look out for next week's article in which we will discuss the different ways the CTI team can be structured and also how you can begin to analyse your own operational environment to discover your own vulnerabilities. This will lead to the final article in which we will analyse how to discover the different threats targeting you and finally putting everything together into a working and operational CTI capability.