Prerequisite for Effective Cyber Threat Visibility and Intelligence Program
It is important to understand, an effective cyber threat visibility and intelligence program should provide you answers to WHO, WHY, WHAT, WHEN and HOW and If your cyber threat visibility and intelligence program is not answering above, then you need to re-look and review overall program.
WHO - Who are the individuals, hackers, groups interested in you, their background, past act?
WHY - What is their motivation (financial gains, reputation damage, productivity loss) because of which they are interested in you?
WHAT – What are they behind personal identifiable information, customer identifiable information, sensitive data including patents / Intellectual property / credentials etc?
WHEN - When can they potentially target you based on hacker’s readiness?
HOW – Potential tools, technique and method they can use to target you?
Once you have above insights, you should be able to apply intelligence more effectively and efficiently on your people, process and technology to better prepare and protect yourself against cyber-attacks.
Current issues with Cyber Threat Visibility and Intelligence Programs:
- It is being applied only to technology i.e. security controls and not on people and process
- It is very focused toward operational/tactical intelligence; everybody is talking about Indicator of attack (IOAs) and Indicator of compromise (IOCs)
- We have multiple data feeds giving us same information
- Missing contextual information in threat feed
- Frequency of intelligence is not aligned with speed of hackers
- No emphasis is being given on mapping of attack surface and scenarios with intelligence capability
- Lack of domain expertise
I think for a successful cyber threat visibility and intelligence program, you need to have 3 levels of intelligence; Strategic, management and tactical intelligence.
Strategic and Management intelligence at least should answer WHO, WHY, WHAT and WHEN; Tactical intelligence should tell us HOW
Strategic Intelligence should provide insights to cyber risks by attributing threat actors, their background, motives, tools and techniques. It should allow you to apply cyber intelligence to strategy, governance and policies.
Management intelligence should allow you to Integrate insights on threat actor campaigns, attack mechanisms and tools into internal processes like incident management process, change, configuration and release management process.
Operational/Tactical intelligence should enable SOCs to proactively respond to cyberthreats, supports day-to-day detection and response to improve the enterprise’s cyber posture by using malicious IP, malware signatures and mutex, phishing domains, command and control centers.
3 elements to look for in an effective Cyber Threat Visibility and Intelligence Program:
Predictability: Early warning about potential cyber risk
Applicability: Can it be applied at all 3 levels strategic, management and tactical
Accuracy: How relevant and actionable intelligence program is to current target
Cyber threat visibility and intelligence is about to become centre of everything we do in cyber posture management and it is right time for organizations to incorporate a proper cyber threat visibility and intelligence program.
