To stay secure, organizations need to outsmart cyber attackers, not just when an attack occurs, but before it occurs to prevent it. Aging IT infrastructure and advanced persistent threats (APTs) are risks affecting many government agencies as well as private enterprises. While no guarantee of complete protection is possible, cyber threat intelligence (CTI), the collection and application of knowledge about attackers, allows defenders to reduce the chances of an attack succeeding or even starting. The key is to be proactive, not reactive.
Where Should You Start?
Federal information systems are continually adapted to provide more services online, collect and store more data, and interface with more external systems and service providers. While the Federal Information Security Modernization Act, 2014 (FISMA), Office of Management and Budget (OMB) policy, and National Institute of Standards and Technology (NIST) recommendations and standards all help to improve security posture, good CTI needs more than tools, guidelines and federal contract clauses.
A key starting point is to first understand the assets, infrastructure, personnel and operations of the organization to be protected. This is the only way to understand if and how attackers will be attracted to the organization and whether the organization is offering such attackers opportunities for attack. The importance of this first step is that it allows the intent of malicious actors to be mapped out, which in turn, lays the foundation for correctly targeted CTI and effective IT security.
Organizing Your CTI
Four types of cyber threat intelligence can be defined:
- Strategic. This is high-level information on the cyber threat landscape and its evolution. Assessment of new threats and re-assessment of existing threats requires input from senior management to determine which threats must be addressed as a priority.
- Tactical. Provides details on attacker modes of operation, tools and tactics, allowing an organization to disable or hinder attacker activity where possible.
- Technical. According to the risk profile and IT infrastructure of the organization, types and instances of malware are identified, for instance by indicator, signature or binary code analysis.
- Operational. Concerns details of attacks in progress to help stop them now and prevent them in the future.
CTI Tools and Resources
Good tools for gathering intelligence increase efficiency. Automated information collection and analytics can accelerate the right conclusions made by human actors, who remain the only ones who can properly relate information and insights to the specific situation and needs of their organization. In addition to their own information and intelligence, CTI teams can leverage additional sources. These include open source intelligence and information received from other organizations or agencies, helping the CTI team to compare threat intelligence and optimize the way it spends its own time and budget.
Next Steps for Improving Cyber Security
With information, analysis and insights, an organization can put its own CTI plan of action into operation. For example, if a specific foreign group is perceived to be a threat for political, economic, or business reasons, the risk of attack by that group can be mitigated. Budgets, resources and focus can be adjusted and specific indicators of compromise (IOCs) created. With a suitable strategy and planning, an organization can optimize its use of the resources at its disposal. It can deal more effectively with increasing volumes of data. Overall, it can gather and maintain cyber threat intelligence with increased effectiveness and less outlay.