Security managers and their security programs today often find themselves triaging a breach after the attack is over and analyzing digital artifacts as they try to piece together an event that happened in the past. Hopefully, the information they glean from the files, logs, and recovered data provides enough information to remediate any discovered security gaps and provide intelligence on possible future events. Unfortunately, as many security practitioners know, this can be a daunting effort where the adversaries that businesses face today are more agile and adept at making changes to sidestep attempts at stopping them. It’s this untenable situation that drives organizations and security leaders to use strategic services such as cyber threat intelligence (CTI) to provide context about the adversaries businesses face and the techniques, tools, and processes (TTPs) that are used against them.
CTI, as a strategic resource, revolves around three basic questions that security managers and their companies will need to address. The answers to these questions provide insight into why CTI is considered a valuable service when used correctly, and how businesses can be efficient in using this tool to mature their security program’s management of ongoing and future threats.
- What is cyber threat intelligence (CTI)? – This first question may seem pretty basic, but I have found many businesses and their security teams don’t truly understand CTI or its value. In essence, CTI is a collection or grouping of information that is gathered from sources, human and electronic, both internal and external to the organization. This information is typically processed and evaluated to verify its validity. It is used to provide context about conditions necessary for a threat to exploit a vulnerability, and report whether threat actors are actively using the threat. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets” (Gartner, 2013). For those new to CTI, this means that for threat intelligence to apply to your organization, i.e., to have “context,” there need to be deficiencies. Examples of deficiencies are such issues as immature security controls, unpatched or misconfigured hardware and software, or undocumented business processes. These deficiencies are what security professionals call vulnerabilities that can be targeted by cybercriminals for exploitation. It is the security manager’s responsibility to understand these concerns, have visibility into the risk they place on their SMB, and through the use of strategic services, such as CTI, prioritize what needs to be remediated first.
- Where can CTI be acquired?…