How to Build a Cyber Threat Intelligence Team (and Why Technology Isn’t Enough)
By RFSID on October 26, 2017
Editor’s Note: The following blog post is a summary of a RFUN 2017 customer presentation featuring Brian Scavotto, cyber threat intelligence manager at Fannie Mae.
As a threat intelligence analyst it’s easy to become detached from the business you work in.
You spend all day triaging alerts, identifying genuine threats, and ensuring the right people are informed. There just never seems to be any time for consultation, or collaborative working.
According to Brian Scavotto, who heads up the Cyber Threat Intelligence Team at Fannie Mae, this is a huge problem.
At the recent Recorded Future user conference, Scavotto spoke on the importance of maintaining a consultative approach to cyber threat intelligence (CTI), and how being open to feedback helped his team dramatically improve the service they provide.
With so many technologies available to boost your intelligence gathering operations, it’s easy to forget that human relationships are still the building blocks from which truly outstanding security capabilities are fashioned.
The Good and Bad of Threat Intelligence Teams
Although he had previously built up the threat intelligence program at BB&T Bank, Scavotto joined Fannie Mae as the senior IR handler on the incident response team. Then, three months ago, he was asked to take the reins of the threat intelligence team, and lead them through a period of development.
To kick things off, Scavotto detailed his team’s primary responsibilities at Fannie Mae:
- Managing threat data
- Supporting security operations
- Working alongside the incident response team
- Managing vendor relationships
- Responding to RFIs (requests for information) from company executives, other teams, etc.
- Lots and lots of research
“I knew there were challenges to the way the team had been operating,” Scavotto explained. “I wanted to get a sense of what the threat intelligence community thinks a savvy CTI team should look like.”
“So I went out and asked the community. I threw up messages on information-sharing boards and email groups, and started fielding answers from some of the big established players.”
From the feedback, Scavotto determined that his team should perform three primary functions: Feed the detection, prevention, response cycle; support threat detection and incident response; and reduce organizational risk.
In particular, Scavotto was adamant that his team should add value to other areas of the business in a way that had a tangible impact on organizational risk. At the same time, though, the feedback also highlighted a number of areas in which CTI teams often fall down. Here are some of the top mistakes identified:
- Being overly reactive
- Adding unnecessary IOCs to SIEM
- Prioritizing speed over accuracy
- Operating in a bubble
- Misusing the term “intelligence”
- Too much focus on tactics and short-term wins
- Lack of true prioritization
- Wild speculation
- Not following through after reporting a threat
Quite the list, wouldn’t you say? Determined not to allow his own CTI team to make these mistakes, Scavotto decided it was time to engage with his principal stakeholders.
MITGA: Making the Intelligence Team Great Again
A truly powerful threat intelligence capability cannot exist in a bubble. Without an in-depth understanding of the business as a whole, the entire process of identifying and prioritizing threats is little more than guesswork.
“I did the only thing I knew how to do,” Scavotto explained. “I went to the other teams, to our customers, and I asked them: What are we doing that’s stupid? What are we doing that’s valuable? What’s impacting your day-to-day work the most? What can we improve?”
With a vehemence that caught him slightly by surprise, Scavotto’s customers answered. They hated receiving emails from his team, and they hated the attachments to those emails even more. They already had hundreds of emails coming in every day, so receiving complex “wall-of-text” PDF attachments was a major cause of frustration.
On top of that, the teams had a few other concerns:
- For numerous reasons, the information being sent often wasn’t read.
- They needed support relevant to their specific workloads.
- They needed intelligence in a more timely manner.
- The CTI team would sometimes speculate, and sound the alarm too early.
To put it simply, to provide a maximally valuable service to their customers, Scavotto’s CTI team would need a detailed understanding of their individual needs and functions, and put in place a constant feedback loop to ensure service improvements were well received.
And that’s exactly what they did. First, they decided to move away from email updates, instead using the microblogging service Yammer. Although far from a perfect solution, Yammer was already available to the team, meaning no sign-off was required to test its efficacy.
The response from their customers was overwhelmingly positive. Important stories could be shared instantly, and relevant personnel tagged to ensure immediate receipt of vital updates. At the same time, members from all teams were able to comment on, discuss, and ask follow-up questions about updates in a way that everybody could benefit from.
But, of course, completely moving away from email isn’t an easy proposition. In some cases, it really is the best medium for important communications.
At the very least, though, Scavotto was determined to replace the old PDF attachments with a faster, more easily digested alternative. The solution: Pre-setup email signatures that could be quickly applied and filled in, while simultaneously being easy to understand.
In this case, part of the feedback Scavotto had received was that whatever medium was used to communicate threat intelligence, it needed to be mobile friendly. Using the HTML-based email template above, Scavotto’s team was able to solve this problem without spending a penny.
Once again, the feedback was immediate and overwhelmingly positive. Here’s what the finished result looks like:
In line with Fannie Mae’s CTI needs, the email report covers threats, vulnerabilities, exploits, and FS-ARC and FS-ISAC considerations. For each line item, Scavotto’s team includes a brief note on what is currently being done to address the issue in question.
What’s important to note here, though, is the way Scavotto and his team approached this development process: They requested brutally honest feedback from their direct customers, and systematically changed their operating processes to better align with the needs of the business.
And they didn’t bite off more than they could chew. When they started to trial microblogging and the revised email format, updates were only sent to 20-30 people across a handful of teams. Now, as these processes have become more robust, that number is up to 200, and feedback has been consistently good.
Now, of course, Scavotto and his team didn’t stop at simply changing their mediums of communication. Here are some of the other improvements they’ve made to their service in the last few months:
- Renewed focus on BLUF (bottom line up front): Ensuring updates are concise and lead with the most important facts.
- Use less jargon: CTI is often plagued by military terminology, but when it comes to communicating with customers, this is often unhelpful. Use of plain language and simple formatting has been well received.
- Constant feedback: Asking for honest feedback isn’t a one-hit solution. Scavotto’s team is working hard to maintain a feedback loop that will enable constant improvement of their operating processes.
This last point is particularly important. If he hadn’t specifically asked for honest feedback, it would have been easy for Scavotto to focus his energies in totally different areas, oblivious to the level of hatred his customers had for the weekly email attachments being sent out.
When you’re trying to maximize the value of your threat intelligence capability, it’s easy to get hung up on complex processes and cutting-edge technologies. If you take the time to listen to your customers, though, you may well find something as simple as getting rid of email attachments could have a profound impact on the uptake of your CTI outputs.
Addressing Customer CTI Needs
Of course, providing an outstanding CTI service isn’t just about the communication process. At the end of the day, you do have to ensure the content of your updates matches the needs of each customer.
At Fannie Mae, executive management is one of the primary customers for CTI. Since executives tend not to have an in-depth knowledge of cyber threats, a big part of the CTI team’s job is to keep executives informed about the most significant current threats to the organization, and to alleviate their fears surrounding media coverage of less relevant threats.
Similarly, Scavotto has become concerned that Fannie Mae executives may become targets themselves, whether at home or at the office, and plans to provide executive protection briefings to help mitigate this threat to the organization.
When developing your own cyber threat intelligence capability, it’s vital that you routinely consult with each of your major customers to ensure you are supporting their work to the best of your ability. For instance, in support of your SOC, you might plan to:
- Help identify areas of significant security concern.
- Guide them on which threat sources are highest fidelity.
- Manage data flow from your TIP into the SIEM.
- Identify tools and online resources that may help them do their jobs.
Once you’ve made improvements to the service you provide, don’t stop. Keep on asking for feedback from existing customers, and if time allows, seek out other areas of the organization that could potentially benefit from CTI. Ultimately, the more value you can add, the greater the impact you’ll have on your organization’s overall level of cyber risk.
Do More With Cyber Daily
Did you notice how important communication was to the CTI process at Fannie Mae? That’s not a coincidence.
One of the biggest issues with applying threat intelligence is that most CTI teams are utterly overwhelmed by high-volume, low-yield threat alerts. Put simply, they don’t have enough time to properly triage each event and forward relevant, valuable intelligence to their customers in a timely manner.
Our free Cyber Daily informs you of the top results for trending technical indicators, like the most targeted industries, active threat actors, suspicious IP addresses, and more.
I look forward to the Cyber Daily update email every morning to start my day. It’s timely and exact, with a quick overview of emerging threats and vulnerabilities.
Chief Information Officer, EBI Consulting