The Recorded Future Blog
4 Rules for Successful Threat Intelligence Teams
by Amanda McKeon on February 16, 2016
Threat intelligence is quickly becoming a core element of risk management for many enterprises.
To truly understand risk, though, the enterprise must grasp and have the capability to handle emerging information security threats to its environment. Other areas of risk — financial risk, operational risk, geopolitical risk, risk of natural disasters — have been part of organizations’ risk management plans since time immemorial; it’s only these last few years that information security has bubbled to the top, and now companies are starting to put weight behind security threat intelligence programs.
Putting a team in place to manage threat intelligence, however, isn’t as easy as other, more established areas of information security. First, it’s newer, and second, organizations might not yet have the right skills and tools in-house.
With that in mind, we’ve identified four simple rules that will help organizations build and maintain a successful threat intelligence team.
(N.B. The rules are simple, but we do realize that implementation is not!)
Tailor Your Talent
It goes without saying that any team — threat intelligence or otherwise — is run by people, so hiring the right people with the right skills is critical. In some cases organizations can groom threat intelligence staff from within, from security operation center (SOC) teams to incident responders. Central skills like log management, networking expertise, and technical research (scouring through blogs, pastes, code, and forums) often come after years of professional information security experience.
Certain parts of threat analysis, however, necessitate distinct and practiced skill sets. Intelligence analysis, correlating and making predictions about threats based on (sometimes seemingly disparate) data, requires highly developed research and analytical skills and pattern recognition.
When building or adding to your threat intelligence team, especially concerning external hires, personalities matter.
Existing teams might feel threatened by new staff who appear to be “taking over” roles and responsibilities. Disgruntled employees are not productive employees. Thus, when forming or adding to the threat intelligence team, pay close attention to the “soft skills” of candidates.
Make sure that teammates can not only all “play nicely in the sandbox,” but that you, as a manager, are communicating frequently, clearly, and honestly about expectations. The interaction and workflow between teams should be pre-planned, and data sharing should facilitate easy integration for the teams responsible for making security verdicts.
Architect Your Infrastructure
Threat intelligence vendors provide strategic intelligence, but organizations should consider building in-house proprietary capabilities that deliver consistent, relevant, and actionable threat data.
Proprietary threat intelligence platforms (TIPs) have the advantage of being tailored to the organization’s specific needs, and often come with a smaller price tag than commercial, off-the-shelf solutions. These custom-engineered solutions should integrate with external vendor systems to automatically collect, store, process, and correlate external data with internal telemetry such as security logs, DNS logs, Web proxy logs, Netflow, and IDS/IPS.
Of course, building powerful proprietary capabilities requires an experienced data architect.
This individual is responsible for designing fast and nimble data structures with which external tools integrate seamlessly and bi-directionally. The data architect should understand not only the technical needs of the organization, but he or she should be involved in a continuous two-way feedback loop with the SOC, vulnerability management, incident response, project management, customer-facing fraud (where applicable), and red teams. This collaborative process facilitates control changes and allows the architect to deliver threat data in a format and on a timeline appropriate for each group.
Notably, threat analysts should never spend time manually processing operational data, and the architect fills that important role of providing the data upon which the analyst draws conclusions that ultimately decrease strategic business risk.
Enable Business Profitability
The goal of every threat intelligence program should be to find emerging threats before they impact the business. Reducing the number of direct threats drives down risk, which in turn increases profitability. Threat intelligence teams must therefore know what the business identifies as levers of profitability in order to prioritize the identification and dissection of threat events and sources.
At the center of profitability are the business’s strategic assets (customers, employees, infrastructure, applications, vendors). Protecting strategic assets is priority number one, and defensive controls need to be managed as threats emerge.
To ensure protection for key assets, threat analysts must be able to examine the larger threat picture and identify such things as general industry threats, trends, attacker TTPs (tactics, techniques, and procedures), and commodity malware. While an attack on one industry organization, for instance, might not result in a direct threat to your own organization, knowing that several enterprises have been been victims of a similar type of attack could indicate the need for hardened internal controls.
The ability to see the larger trends and drill down to direct threats against strategic assets means the threat intelligence team must understand what data it has available internally and what data it needs to source. Information gathering for an unknown purpose other than vague future applicability is a waste of resources, so set your sights on the information directly tied to the business and its levers of profitability.
Enabling business profitability requires an understanding of the business’s goals and roadmap.
To effectively set the roadmap, the executive layer also needs insight into current and future threats. If, for example, the business wants to acquire a partner but the partner is currently being targeted by hacktivist groups for what they deem unfair business practices, the executive team should have that intelligence before determining a market valuation and extending an offer. During a vendor evaluation, as another example, it is important to know if industry-specific malware, like BlackEnergy or Zeus, is emerging. Aligning one’s business with a risky proposition is not a decision to be taken lightly.
Executives need to hear from the threat intelligence team how and why some of those threats translate to risk, and then learn if and how the risk of those threats can be mitigated. Organizational threats will always exist, and it’s up to the business to decide its risk tolerance. Threat teams can aid the process by keeping executives informed but not spreading FUD (fear, uncertainty, and doubt). Delivering the message should be approached in a thoughtful, practical manner; do not overwhelm executives with technical details they neither care about nor understand. Their eyes are on the bottom line, and threat intelligence should be provided that supports moving in an upwards trajectory.
With these four pillars in mind, organizations can run an effective threat intelligence team which contributes to the success of the business. People and tools are important parts of the process, but equally important are cross-functional collaboration and communication.