First principles of a Cyber Threat Intelligence Program

Recently, as part of the scope in establishing a Security Operation Center for a European telecommunications company, I have been asked to develop a cyber threat intelligence (CTI) program. The goal is to better understand the motives, capabilities and objectives of threat actors that might seek to target the organization so that adequate countermeasures could be implemented as part of the broader SOC program. The proposed path was to adopt a requirements-based approach rather than the blind purchase of a commercial intelligence tool.

Developing a requirements-based model plays a crucial role in driving the success of a CTI program. Objectives included the use of the intelligence gathered to inform decision makers at different levels (using data science and machine learning models) regarding adversary tools, tactics, and procedures (TTPs), at both strategic and tactical levels. An efficient and effective CTI strategy can increase the return on security investments and decrease the risks to the organization’s assets.

Furthermore, the focus on protecting high-value information assets (HVIAs) helps avoid common mistakes such as:

  • Identify indicators with little to no time to react
  • Collection, aggregation and analysis of huge amount of often dated and duplicate data
  • Over reliance on purely on quantitative KPIs and metrics, at the expense of qualitative data
  • Processing of generic external threat intel irrelevant to the core business of the organization

As we know, a CTI solution must provide actionable data in a timely, accurate, and relevant manner (and at an optimal rate/frequency in the context around they are consumed), and take into consideration any existing security controls which may remediate or act as a countermeasure to the threats which have been identified to provide remediation and, identifying and answering specific technical and business questions.

In particular, the scope of the CTI model can benefit by broadening the scope of the use cases. Examples of some of the benefits include:

  • Prevention: Threat Intel can help prevent data leakage by blocking communications with C&C infrastructures. For example, the security ecosystem of an organization can ingest threat intelligence data, monitoring attempts of internal hosts to communicate with malicious IPs/domains;
  • Detection: The faster a security breach is identified, lesser is the impact on the business. Deploying deep packet inspection and network security monitoring solutions that ingest threat intelligence data, enables research of TTPs which may have evaded other prevention mechanisms, thereby helping security analysts to accelerate alerting on malicious activities;
  • Response: Threat Intelligence can provide guidance in the estimation of the magnitude of the breach and enumerate the adversary’s “modus operandi”. During an Incident Response activity, threat intelligence can support host and network forensic analysis to quickly identify compromised systems;
  • Threat Analysis: By understanding attack patters and preferred TTPs in conjunction with the technical security posture of the asset, it is possible to get a greater understanding of the implemented defensive mechanisms and any additional countermeasures which may be required;
  • Data analysis: In depth analysis of the data collected can discover related campaigns associated to a particular threat actor, including motive and intent and identify which assets the adversary is persistently attacking;
  • Threat Intel Sharing: Last but not least, information sharing with industry peers to determine whether there are other threats and TTPs associated with the campaigns (most probably the biggest advantage and benefit in the adoption of such program).

In an environment with tight budgets, the implementation of a CTI program using a phased and requirements-based approach can enable small investments to materially enhance the overall security posture of the organization.

With today’s threat landscape, there are no silver bullets to security and risk management. A one-size-fits-all approach may just distort the ability to identify adversaries and protect what matters most.

No Comments