In the first three chapters of Volume 2 we have been focused internally. In Chapter 13, we turn our focus to outside your organization. Threat intelligence, like situational awareness, is the discipline of becoming conscious of the environment in which you are operating with the intent of decreasing the potential impact of harms that are presented to you or your community. You’ll need to use a combination of data about the relevant threat actors and the vulnerabilities of your high-value assets along with your judgment about the combinations that pose the greatest risk to your organization.
Bill starts the discussion where we have traditionally associated protection from risk, with the law enforcement community. Every organization operates in the context of local, state and federal jurisdictions, some grounded in the physical world and many increasingly incorporating the digital realm. From there, Bill expands the scope to include the entire human network that all three authors have repeatedly highlighted.
Matt asks us to look inward again to establish the context in which threat intelligence is most effective. He guides us on an exploration of six keys to threat intelligence that teach us how to use that context to make better decisions about which threats are most real to us and build a program around that knowledge.
Gary gives a thorough analysis of the sources for threat intelligence and leaves us with an understanding of how these sources are structured, characterized, and effectively utilized. He concludes with an extensive review of Open Source Threat Intelligence and how you should incorporate that into your threat intelligence program.
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ What is threat intelligence, and what types of external threat intelligence sources should the CISO use to augment their cybersecurity suite?
♦ What are the business scenarios for incorporating threat intelligence services into an enterprise cybersecurity program?
♦ Which Open Source Threat Intelligence (OSINT) resources should a CISO consider for enhancing their threat vulnerability management program?
Situational Awareness – Bonney
What Is Threat Intelligence?
Before answering the questions that we have posed for threat intelligence, I’d like to define what threat intelligence is, or what it means to me. Some threat intelligence products and services might include phrases like “organized, analyzed and refined information” and reference “potential and current attacks” somehow targeted, generally or specifically, “at your organization or industry.” That’s certainly one aspect of a good threat intelligence program. That kind of information is consumed at a knowledge level, in other words, informing the people on your team about the current threats that they should focus on, how to recognize them, how to prepare for them, and how to defend against them.
Threat intelligence information can also refer to specific vulnerabilities and the techniques that might be used to exploit those weaknesses in a way that your people and your defensive systems can immediately use to prevent or mitigate specific threats. Threat intelligence can also refer to specifics about the adversaries (who is posing a threat) and the victims (who is the target). Good threat intelligence should be actionable; you need to know what the adversaries want to do, to what, and you need to know if that applies to your organization.
We have to assume that you know what assets you have that are susceptible to any threat. Much of what I’ve listed above is available through commercial and cooperative services. Depending on the scope and capabilities of your organization, you might consume one or more commercially available sources of threat intelligence.
There is a tendency to believe that once something like threat intelligence is packaged commercially, that “buying” your threat intelligence is the most comprehensive and practical approach. Let the experts collect the data from their millions of sensors and their honeypots, and let their analysts review that intelligence and monitor the dark web for you and tell you where you should focus your attention. It’s true that very few companies have the means to run a comprehensive threat intelligence program on their own, and even those that do still consume commercial feeds to support their efforts. But there is another aspect to threat intelligence that does involve work that you do on behalf of your organization. You now have an excellent opportunity to work with your human network, especially your external network of peers, subject matter experts, law enforcement, vendors, and partners.
With this context for threat intelligence, I want to ask an additional set of tactical questions:
- What is our current working relationship with law enforcement?
- What are our sources of international cyber threat intelligence?
- What organizations are we sharing our cyber threat knowledge with, and what are we learning from them?
- What is our working (information sharing) relationship with the most high-profile firms who have had breaches? Do we have information coming to us from them? What have we learned?
- Do we track social mediasites and blogs referencing us for clues about our vulnerabilities?
- When we hear of a breach in another organization, what do we do? When does that process start, and what is the routine reporting in the organization? What are the criteria that determine who to notify and when to notify the board of directors?
- As we look at the data for intrusions, penetrations, or attempts to gain unauthorized access, what has been the primary category of threat actorswho seem to have made these efforts? How has that information influenced our defensive efforts?
Threat Intelligence Is More Than a Service
Let’s look at what these questions are getting at and how we, as CISOs, might go about responding. Starting with number 1, our relationship with law enforcement. We’ve all heard that law enforcement wants to have a relationship with us. They would like organizations to tell them when suspicious events occur and identify potential bad actors for them. Then, they will share information with industry about threats they become aware of through various means. Each party would be able to use this information without additional jeopardy.
Just a few years ago, this statement met with a fair amount of skepticism. However, through organizations such as InfraGard, which is an FBI public-private partnership program, and concerted efforts by law enforcement and various supportive industry groups, cooperation and trust has been building. While it still varies by region and community, there has been significant progress.
If your organization has a relationship with local law enforcement through its physical security organization, partnering with that group and leveraging that connection is a great place to start. Usually, this involves at least local law enforcement, such as city police departments, county sheriff’s departments, and state troopers across the United States. If your organization does not currently maintain any federal relationships, you should consider connecting with the FBI (through regional associations such as InfraGard) and the Department of Homeland Security (DHS).
The DHS was created in the aftermath of the events of September 11, 2001, to manage and coordinate the activities between several existing agencies. The combined organization addresses land and marine borders and immigration, with the U.S. Customs and Border Protection (CBP), the U.S. Immigration and Customs Enforcement (ICE), and the U.S. Coast Guard (USCG). It also addresses accidents and several types of threats, with the Federal Emergency Management Agency (FEMA), the Transportation Security Administration (TSA), the U.S. Secret Service (USSS), and the Office of Intelligence and Analysis (OIA).
In addition to the FBI’s InfraGard program, there are many cooperatives and public-private partnerships. Among them are the ISACs (Information Sharing and Analysis Centers), which exist for all of the elements of the U.S. critical infrastructure. The graphic below (courtesy of the National Fusion Center Association – NFCA) depicts the 16 components of the U.S. critical infrastructure. The U. S. DHS declared a 17th component, the U. S. Electoral System, a part of the nation’s critical infrastructure in January 2017.
Figure 13.1 The 16 Original Industries in the U.S. Critical Infrastructure
In addition to the NFCA, the ISACs, and your local law enforcement, there are the 76 regional “Law Enforcement Coordination Centers” (LECC). Reach out and connect with these groups and then leverage these groups to find local industry associations if you are new to the region or just don’t know who to ask.
Regarding question 2, not every organization will need sources of international threat intelligence, but if your team has a global footprint, there are significant considerations. First, some cyber-criminal gangs are very regional, and intelligence is limited outside their region. Second, if you do not have a substantial presence in international markets, your international field offices might be especially vulnerable to local cyber-criminal activity if you aren’t able to keep the cyber education level high among your global workforce. To address this, ensure that any vendors you use for threat intelligence have sufficient coverage in the markets where you are present.