Good Follow-up Is Essential
This is the fifteenth in our series sharing thought pieces and the fifth from the CISO Desk Reference Guide: A Practical Guide for CISOs, Volume 2. In the following excerpt from Bill Bonney’s essay for Chapter 15 on Threat Intel, Bill talks about learning from and acting on threat intel that doesn’t come from vendor or open-source feeds. Please enjoy.
Let me pose a few questions about our threat intel. What organizations are we sharing our cyber threat knowledge with, and what are we learning from them? What is our working (information sharing) relationship with the most high-profile firms that have had breaches? Do we have information coming to us from them? What have we learned?
Notice that we’re asking the same follow-up question: What are we learning? Good threat intelligence should be actionable. When we learn of a threat, we should have a process for determining whether it applies to our organization. We assess the nature of the threat, focusing on the type of asset under attack. Do we have similar assets? What is the method of attack? Are we susceptible to that attack? What breaches have occurred, and could the same attack scenario work against us?
Sometimes, that is a simple question to answer—we might not have those same kinds of assets, and sometimes, that is a very complicated question to answer—we might need to perform a vulnerability scan or stage a penetration test to find out. Once we know that an attack could work and we determine that the assets at risk are worth taking extra measures to protect, we need to validate that a breach has not occurred and then patch, upgrade, disable, backup, and take whatever other actions we deem appropriate to protect against that attack scenario.
The next questions we’re asking ourselves both pertain to what we’re learning through public (mostly media) sources. How is social media responding, and what are we hearing from the national news media? Social media is focused outward but with our organization as the subject. The national news media is focused outward, too, but we’re concerned with how the news media is treating various high-profile breaches, along with how the public (citizens, industry, and government) is reacting. What we hope to learn from these sources and how we might respond to what we learn is very different.
领英推荐
Our approach to social media as a threat intelligence source should not be confused with our organization’s policy on the use of social media by our marketing department or our workforce. Using social media as a threat intelligence source means monitoring and reacting appropriately to mentions about our organization. Are we being disparaged by customers or activists? Are specific actions being advocated? Are our commercial practices being denigrated, or are our lobbying efforts, our third-party relationships, our community relations, or our organizational governance policies generating controversy? Are we being associated (even inaccurately) with other organizations or actions taken by or against those groups or activities in response?
Monitoring the national news media is another valuable source of threat intelligence, but it has an interesting caveat. Effective threat intelligence programs should make you aware of threats that are specific to your industry before you read about them in the national news. It is essential to understand that public opinion can create a sense of crisis very quickly, and that sense of crisis can either amplify the threat to your organization or generate concern within your organization from management, the workforce, or the board of directors. This fear can, in turn, create an urgency to act. Knowing that threats specific to your industry are active before the national news broadcast can give you a critical head start to understand the danger, devise an action plan, and prepare to execute that plan without an aura of crisis.
To see how the CISO Desk Reference Guide, Volume 2 fits into your reading journey, reference our reader's guide on our LinkedIn Company page: