Intelligence has long been a prized asset for organizations, government and armies. In the past, it’s what won wars: just look at the crucial role the code-breakers of Bletchley Park had in hastening the Allied victory in 1945. Yet today, IT teams are caught in the dizzying whirlpool of reality because of the overwhelming ratio of intelligence. The problem is that they cannot do much with it. We must therefore focus efforts not on gathering intelligence per se, but on ensuring it is actionable and relevant.
That means moving beyond industry hype to redefine what matters most to stretched threat teams protecting their organizations on the front line: quality over quantity.
Firms under fire
The media is awash with stories of catastrophic data breaches and online attacks causing major service outages. A UK government report from April 2018 suggested 43% of organizations had experienced a cybersecurity breach or attack in the previous 12 months — but even these figures could be an under-estimate.
In the meantime, big-name brands continue to suffer consequences of inadequate threat intelligence. Over the past few months alone, we’ve heard of a massive database breach at Marriott International affecting half a billion customers, a similar raid on over nine million Cathay Pacific customers, and a sophisticated digital skimming campaign which has compromised card data from hundreds of e-commerce websites around the world.
These are just the tip of the iceberg. According to NTT Security’s 2018 Global Threat Intelligence Report, based on data from over 6.1 trillion logs and 150 million attacks, there was a 350% increase in ransomware detections alone over the previous year. The finance sector was the biggest target for attacks, suffering 26% of the total spotted during the period, although it certainly wasn’t the only industry in the firing line.
Beyond the hype
In response to the growing cyber risk facing organizations, the threat intelligence market has expanded rapidly over recent years. A simple Google search will reveal hundreds of providers crowding the space. Yet whatever the marketing hyperbole may have you believe, 98% of them are selling the same type of product/feed.
This kind of off-the-shelf threat intelligence is available to any organization prepared to pay. But it’s not necessarily effective. The type of cyber intelligence required by an oil and gas company might be very different to that which a financial institution finds useful, for example. And even within specific sectors, no two organizations are the same.
To become relevant and actionable, intelligence must be customised. It’s not just a case of switching on a few threat data feeds. Intelligence needs to be developed over time, with human expertise playing a key role in this. It is an intelligence-driven holistic security process that may result in a few mistakes along the way, but that shouldn’t distract you from the ultimate goal.
Here are my five steps to attain the Holy Grail of actionable intelligence:
1. Business and risk alignment: This is about understanding the mission, scope and authority needed to mitigate risk.
2. Visibility: Define the visibility required to achieve mission readiness.
3. Content: Build enablement for detection — including use cases, situational awareness, and baseline.
4. Security operations: Respond, contain and hunt to achieve the mission of rooting out known and unknown threats.
5. Applied intelligence and analytics: Analyze, attribute and predict the threat to refocus the mission.
The key is to first understand what your organization’s key assets or “crown jewels” are via a risk analysis. Then it’s all about filtering out the “noise” to prioritise intelligence relevant to your organization. We can then move forward to proactively hunt for threats, map attack patterns and outline the black hats’ tactics, techniques and procedures (TTPs).
Now you’re in a position to pre-empt the bad guys, wresting the initiative back to manage cyber and business risk on your own terms. That’s the true value of actionable intelligence.