Key Initiatives of a Strong Threat Intelligence Program
November 9, 2017 • RFSID
Editor’s Note: The following blog post is a partial summary of a RFUN 2017 customer presentation featuring Bryan Campbell, senior security researcher at Fujitsu, and Rob Kraus, senior director, global threat intelligence center operations at NTT Security.
- IT use cases aren’t the only applications of threat intelligence. Things like reputation and potential misuse of intellectual property are also worthwhile considerations.
- Threat intelligence programs need to be approached with intention. Clear goals among leadership and the security team must be set.
- Following the intelligence lifecycle considerably influences the success of your threat intelligence program.
- Remember that intelligence without action is lost. If you don’t know how information can be applied and the outcomes it generates, you’re not going to get very far.
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Gartner, Definition: Threat Intelligence
Before implementing an effective threat intelligence program, it is imperative to define what exactly threat intelligence is. The above definition focuses on the IT-related aspects, which are certainly core to the practice. However, threat intelligence extends into a number of different applications that aren’t necessarily IT assets, but still impact the bottom line, including brand reputation, abuse or misuse of intellectual property, activities across geographically disparate markets, and more.
Also critical to building an effective threat intelligence program is knowing that it’s an ongoing, repeating process: the intelligence lifecycle. Businesses and security teams alike should be prepared to set clear goals and properly focus information to maximize positive security impacts.
The Intelligence Lifecycle
Executing on the intelligence lifecycle determines your success with implementing a threat intelligence program. Each phase needs to be addressed adequately and with the understanding that it needs to be the repeating process previously mentioned:
- Planning, requirements, and direction
- Raw information collection based on requirements
- Information processing
- Intelligence analysis and production
The intelligence lifecycle begins by defining needs. What keeps executives and security analysts up at night? These needs are called priority intelligence requirements (PIRs), and they help determine the information you’re looking to gain. PIRs also provide the basis for the type of raw information that needs to be collected, as well as processing and exploiting. Exploiting intelligence is the process of taking information from its raw state, mapping it to PIRs, and creating an intelligence product. Lastly, and most overlooked, there’s the question of how to disseminate a threat intelligence product. It’s a significant investment in order to be successful, and each of these steps need to be evaluated on a regular basis.
Creating a Plan and Setting Goals and Expectations
A key consideration in building out a threat intelligence program is knowing that intelligence without action is about as valuable as not having intelligence at all. It’s necessary to understand why you’re interested in investing in an intelligence program, followed by putting some key performance indicators (KPIs) behind it. Know what threat intelligence means to your business, how you can leverage and apply the information, and what outcomes can be generated. Investing in a program isn’t enough — how will it get you to where you want to be with respect to protecting your organization? Here’s what you should be evaluating to adequately answer that question:
What do you expect intelligence to give you? Why are you interested in investing in your intelligence program?
If building out a threat intelligence program is an initiative, it’s not enough to simply make the decision to move forward. Without direction or goals, it won’t get far, especially among a full team of security analysts with their own visions. Develop a clear goal and a common vision.
What are the defined KPIs?
Without quantifiable measures, it’s difficult to determine if goals are being met as a threat intelligence program progresses. KPIs can evolve as businesses grow or change, or as goals are met, and can address both the short and long term.
For instance, if the objective is to invest in intelligence, can it be determined that it will prevent a certain number of attacks from happening per year, as well as how much money can be saved by doing so? As the program grows and budget needs to be added, it will be important to be able to demonstrate what you’re getting out of the investment.
Remember that intelligence capabilities are proportional to how you invest in your program.
This includes people, processes, procedures, training, information sources, etc. If you only invest a small amount of budget into your intelligence program, you may not get a lot of out of it (refer back to those KPIs). Know how much you need to invest in processes, people, and procedures to make it worthwhile, hit KPIs, and meet your intelligence goals.
No one sees everything — however, if you look for nothing, you will most certainly find nothing.
Intelligence without action is lost. Consider the recent attacks that could’ve been prevented for major organizations (the Equifax breach, for example) with the proper threat intelligence. Define what threat intelligence truly means for your organization, how information can be applied, and the potential outcomes.
The Criticality of Filtering Data
If everything is intelligence, then nothing is intelligence.
Wilhelm Agrell, Ph.D.
Professor in Intelligence Analysis at the Research Policy Institute, Lund University, Sweden
To generate an intelligence product and actionable intelligence, data has to be filtered. “Noise” is comprised of everything that is collected according to PIR, not all of which is relevant. Noise has to be filtered and scrubbed, leaving the remaining artifacts which should be grouped according to defining characteristics; data doesn’t become information until it’s assigned a purpose. If it can be determined that information has a strategic purpose that can be used to gain advantage, it’s considered intelligence. Finally, actionable intelligence is the process of carrying out intelligence-led, evidence-based assessments that can be initiated and acted upon.
Why Commit to an Intelligence Program?
There are a number of operational and security benefits to threat intelligence, from gaining a more holistic understanding of potential threats to determining mitigation controls:
- Achieve greater situational awareness
- Understand threats, threat actors, and their capabilities
- Identify threats before they are realized
- Identify targets for threat actors
- Mitigate attacks more effectively
- Identify target profile and exposed data
- Determine countermeasures and mitigation controls
- Gain actionable intelligence specific to the organization
As you begin your threat intelligence journey, remember to be intentional in your goals and know your applications. Can the information you gain be used for proactive identification? Incident response? Making the effort to figure out why, how, and where to apply threat intelligence will put you well on your way to success.