Drafting First-Round Picks for an All-Star Threat Intelligence Team
By Zane Pokorny on December 26, 2018
Editor’s Note: Over the last few months, we’ve been sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the tenth and final chapter, “Developing the Core Threat Intelligence Team.” To read the full chapter, download your free copy of the handbook.
In previous chapters of “The Threat Intelligence Handbook,” we’ve looked at how to integrate threat intelligence capabilities within your already existing security processes. Having reached the final chapter, we now make a few suggestions about how to organize your core threat intelligence team itself.
Now that we’re exploring how to create a team specifically committed to threat intelligence, it’s helpful to outline their differentiated responsibilities. Threat intelligence analysts will generally take on the following tasks:
- Identify current and future information security threats to the business’s strategic assets
- Answer the “who, how, and why” for any given attack
- Dissect attack tactics, techniques, and procedures (TTPs)
- Evaluate attacker TTP relevance and impact in the business context
- Identify opportunities to make high-level security architecture changes that will hinder an adversary’s specific TTPs
The best threat intelligence programs involve strategic analysis centered around talented human resources who are supported by automated processes that take care of tedious tasks like processing data. This human-machine pairing is called the centaur model, which was originally theorized by chess legend Garry Kasparov. He made this argument a few years ago: “Weak human plus machine plus better process was superior to a strong computer alone and, more remarkable, superior to a strong human plus machine plus inferior process.”
One thing the centaur model highlights is how different groups working together and playing to their strengths will often succeed over individual groups that may be stronger pound for pound but can’t make a unified effort. This same lesson also extends to the question of where to place a threat intelligence team within the larger organizational structure of a security team — the right answer is often to be a specialized group, but one that remains part of a larger coalition.
In this chapter from our new book, “The Threat Intelligence Handbook,” which has been edited and condensed for clarity, we’ll explore in greater depth what that group should look like.
Dedicated, but Not Necessarily Separate
You can start your threat intelligence journey with people who continue to play other roles on different teams in the organization. At this point, two questions will arise:
- Should there be a dedicated threat intelligence team?
- Should it be independent, or can it live inside another cybersecurity group?
The answers are: yes, and it depends.
A Dedicated Team Is Best
As you develop a comprehensive threat intelligence program, you should build a team dedicated to collecting and analyzing threat data and turning it into intelligence. The sole focus of this team should be to provide relevant and actionable intelligence to key stakeholders, including senior executives and members of the board.
Dedication and a broad perspective are needed to ensure team members dedicate enough time to collecting, processing, analyzing, and disseminating intelligence that provides the greatest value to the enterprise as a whole, rather than yielding to the temptation to focus on the intelligence needs of one group or another.
Its Location Depends on Your Organization
Organizational independence, as shown in the image below, has its advantages, such as greater autonomy and prestige.
However, these advantages can be completely offset by the jealousies and political issues caused by creating a team with a new high-level manager and its own budget that pulls budding threat intelligence analysts out of their existing groups.
A dedicated threat intelligence team does not necessarily need to be a separate function reporting directly to a VP or the CISO. It can belong to a group that already works with threat intelligence. In many cases, this will be the incident response group. This savvy approach can avoid conflict with entrenched security teams.
Picking the People
If you take a gradual approach to building your core threat intelligence team, start with individuals who are already in the cybersecurity organization and are applying threat intelligence to their particular areas of security. They may not have the title “threat intelligence analyst” or see themselves that way at first, but they can form the backbone of your emerging threat intelligence capability.
We have emphasized that the threat intelligence function exists to strengthen other teams in the cybersecurity organization so they can better protect a specific enterprise. It is therefore critical that the threat intelligence team include people who understand the core business, operational workflows, network infrastructure, risk profiles, and supply chain, as well as the technical infrastructure and software applications of the entire enterprise.
As the threat intelligence team matures, you’ll want to add members with the following skills:
- Correlating external data with internal telemetry
- Providing threat situational awareness and recommendations for security controls
- Proactively hunting internal threats, including insider threats
- Educating employees and customers on cyber threats
- Engaging with the wider threat intelligence community
- Identifying and managing information sources
Collecting and Enriching Threat Data
We talked a little about sources of threat data in Chapter 1. Here, we explore how a threat intelligence team can work with a range of sources to ensure accuracy and relevance.
The Human Edge
Threat intelligence vendors can provide some types of strategic intelligence, but you can also develop in-house capabilities to gather information about the topics and events most relevant to your enterprise.
For example, you could develop an internal web crawler that analyzes the web page code of the top 5,000 web destinations visited by your employees. This analysis might provide insights into the potential for drive-by download attacks. You could share the insights with the security architecture team to help them propose controls that defend against those attacks. This kind of threat intelligence generates concrete data, which is much more useful than anecdotes, conjecture, and generic statistics about attacks.
Proprietary sources that can strengthen your threat intelligence resources include:
- Vendor or ISAC feeds
- Threat intelligence team research
An automated threat intelligence solution enables the threat intelligence team to centralize, combine, and enrich data from multiple sources before the data is ingested by other security systems or viewed by human analysts on security operations teams.
The image below shows the elements of an automated threat solution. In this process, information from a threat intelligence vendor is filtered to find data that is important to the enterprise and specific cybersecurity teams. Then, it is enriched by data from internal threat intelligence sources and output in formats appropriate for targets such as SIEMs and incident response systems. This automated translation of data into relevant insights is the very essence of threat intelligence.
The Role of Intelligent Machines
Advances in machine learning and natural language processing (NLP) can bring additional advantages to the threat intelligence team. With the right technology, references to threats from all sources can be rendered language-neutral, so it can be analyzed by humans and machines regardless of the original language used. We’ve reached the point where artificial intelligence (AI) components have successfully learned the language of threats and can accurately identify “malicious” terms.
The combination of machine learning, NLP, and AI offers huge opportunities for organizations to leverage threat intelligence. Not only can these technologies remove language barriers, but they also can reduce analyst workloads by taking on many tasks related to data collection and correlation. When combined with the power to consider multiple data and information sources concurrently to produce genuine threat intelligence, these capabilities make it far easier to build a comprehensible map of the threat landscape.
Engaging With Threat Intelligence Communities
Threat intelligence cannot flourish in a vacuum. External relationships are the lifeblood of successful threat intelligence teams. No matter how advanced your team might be, no single group can be as smart individually as the threat intelligence world as a whole.
Many threat intelligence communities allow individual enterprises to share relevant and timely attack data so they can protect themselves before they are victimized. Engaging with trusted communities such as ISACs is crucial for decreasing risk, not just for your individual enterprises, but also for the entire industry and the cybersecurity world at large. Participation requires time and resources — for example, to communicate with peers via email and to attend security conferences — but relationship building must be a priority in order for threat intelligence to be successful.
Get The Threat Intelligence Handbook
The full chapter of the book also details the four different types of threat intelligence — strategic, tactical, operational, and technical — and provides scenarios for how you would use them. In addition, the rest of the book includes chapters on the many different use cases for threat intelligence, including incident response, vulnerability management, digital fraud protection, and more. It’s an essential guide to all things threat intelligence, so download your free copy of “The Threat Intelligence Handbook” today.