Why you need Cyber Threat Intelligence

Looking back, 2018 reinforced the need for threat-based security. Nation state actors are hungry for intellectual property, and have consistently proven willing to exploit cyberspace to get it; it's not a new concept, it's old spycraft and espionage adapted for the digital age. Meanwhile, criminals continue to use every tool at their disposal to make money at the expense of others, and cyber is often the cheapest and fastest way to do it. We shouldn't be clutching at our pearls that it's occurring, but we must stay informed on what these threats are doing and how they're doing it (the military calls this 'tactics, techniques, and procedures'), and every organization with a network to protect and an on-staff IT security team should have access to actionable threat intelligence that informs their risk decisions.

Some words about the threat space: The cyber-scape is complex and the advanced threats are numerous, and there are no shortage of news clips that prove this. Every organization that runs a proprietary, internal network infrastructure has an obligation to protect its data, both intellectual property and employee/client PII.

Chinese hackers, working for state security, have made off with terabytes of sensitive-but-unclassified information within the defense sector, and the personal data of millions of personnel, prompting the Department of Defense to ramp up protective efforts and prioritize information security in military contracts. While the defense sector may eventually reap the benefits of its protective partnership with DoD (an entity that, by its very nature, can punch back at the cyber attackers), organizations in other sectors must partner with law enforcement, maintain a defensive posture, and have no insight into offensive operations that might stop attacks against their industry.

Non-state persistent threats, such as criminal organizations, have pilfered corporate networks repeatedly for personally identifiable information (PII, like social security numbers, as well as online access credentials like user names/passwords) on employees and clients to re-sell on the dark web or commit fraud, and have even hijacked organizational infrastructure to mine cryptocurrency (called "cryptojacking").

Consider these as well:

• You likely don't know they're there. Many organizations are notified by law enforcement or other cyber watch-dogs (such as white-hat hacking groups) that they are vulnerable or have been infiltrated. Often, these persistent actors get in on stolen credentials, establish back-doors, then exfil their data at their leisure. If you don't have the right intrusion detection and prevention solutions in place, the first time you become aware of it will be well after you can do anything to stop it, forcing you into damage-control mode.
• The biggest threat is often the insider, tricked into downloading malware or exposing credentials through phishing or more sophisticated social engineering. These employees don't have to be willing partners with bad actors; often their desire to "get things done" coupled with loopholes and lapses in network security conspire.
• Most concerning, I've heard of many organizations are still focused on a compliance-first approach and incomplete vulnerability remediation plans, or rely on anecdotal or outdated information about the threat space. Some just ignore it completely, preferring to hide behind firewalls of ignorance (I've got a firewall and antivirus, so I'm all set, right?). As a result of this mentality, state and non-state sponsored threat actors don't have to execute complex attacks to be successful -- they just have to be persistent. Most of the time they exploit vulnerabilities that should have been fixed.

As military officers, intelligence preparation of the environment (IPoE) is second nature to us in operational planning (fair warning: don't click that link unless you want a little bedtime reading). It's one of the first thing any commander asks for -- "what's the latest intelligence?" What is the composition of the enemy force, what capabilities do they have to exploit my weaknesses, and are my forces suitable to match them? You've likely heard how cyberspace is a contested battlefield, and if you join your corporate network to the internet you are now part of that space. Thus, your castle is just as vulnerable as others, but also just as defend-able!

Any CISO or Security Manager should be asking "what's the latest intelligence?" -- threat-informed risk management tells you where to focus your efforts and investments for maximum effect. Without it, you're flying blind and making your best guess based on potentially flawed information (did you make an acquisition decision based on a sales pitch, or what you heard from a trade show two years ago?). Threat intelligence will paint an ever-changing picture, forcing you to develop an agile security posture and constantly re-assess the tools you're investing in. There's a growing professional cadre of threat intelligence specialists that should be an integral part of any CISO's team, and they should be laser-focused -- without distraction! -- on a few key duties:

1. Cultivating close relationships with law enforcement, local government, and other security experts in the industry at the specialist level -- often they will hear of breaches, and the lessons to be learned from them, before anyone else!
2. Reading! Your intel specialist will spend every day absorbing cybersecurity news big and small, learning what's working and what's not, and understanding how the 24/7 news cycle informs the threat space.
3. Attending virtual and in-person meetings with public/private threat intelligence sharing groups. These groups are managed by the local or federal government, software vendors, industry partners (including competitors!), academia, and even your internet service provider (ISP) that has a vested stake in downstream data protection. All are invaluable to an intelligence analyst but demand transparency to be effective -- the analyst must be empowered to share information, such as lessons learned from recent incidents, that would help others make informed risk decisions.
4. Advising senior leaders, informing policy decisions, and influencing acquisition of new software or hardware: "That make/model of router might meet all of our capability needs, but it was the most-hacked router on the market in 2017, including three in our sector and one in the same city..."

If you don't want to hire a new analyst you can grow your own using courses offered by organizations like SANS or any number of cyber training centers or universities, and certifications like GIAC's Cyber Threat Intelligence (GCTI) or EC-Council's Certified Threat Intelligence Analyst. Many smaller firms might consider retaining such talent to be cost-prohibitive, and for them there are on-demand virtual consulting solutions that, while not as ideal as a full time analyst, can be a torch in the darkness for organizations seeking guidance. Regardless of its origin, threat-based security is a smarter way to invest and implement a robust security posture, and I encourage any organization with an IT security department to add a dedicated threat intelligence expert to your team (and don't be afraid to grow your own!).

I would be remiss if I didn't mention that military veterans of all types make outstanding intelligence and cybersecurity specialists!

The opinions expressed herein are my own and do not express official positions of the U.S. Government.

All images used were obtained under Creative Commons license and "labeled for reuse" via Google Images. Citations: NBC News, Center for Internet Security (CIS), U.S. Naval Institute, Office of Personnel Management, BreakingDefense.com, Insurance Information Institute, Government Cyber Insider, CSOOnline.com, EdgeScan's 2018 Vulnerability Statistics Report, FBI.gov, Malwarebytes, U.S. Joint Chiefs of Staff, TheBalanceCareers.com, Cyber Threat Alliance, SANS, GIAC, EC-Council.