5 key concerns when testing cyber threat intelligence effectiveness
According to the ISACA State of Cyber Security 2017 research, 80% of respondents believe “it is either “likely” or “very likely” that they will be attacked in 2017.” In 2018 and beyond, based on current risk trends to organizations from their infrastructure, employees, supply chain and external threat actors, this figure is unlikely to drop.
Cyber threat intelligence (CTI) plays an important role in an organization’s defense-in-depth defense strategy often being leveraged by other cyber security functions, such as security event monitoring, incident response and forensic investigations.
To derive value from CTI, raw or processed data feeds must be analyzed and applied within the context of the organization to improve, among other capabilities, the ability to detect threats and respond to incidents.
Visibility into the design and operating effectiveness of CTI processes can provide some assurance to management and potentially support funding requests for further investment in this area. Based on that premise, below are five areas to consider when conducting a review of your organization’s CTI capabilities.
Alignment with your organization’s threat model
Commonalities exist in the threats to organizations operating in the same industry sector. However, because no two businesses are exactly alike, there is a high likelihood that each one will have a slightly different threat model.
Threat modeling is a necessary risk management step to ensure that resources are directed at controls that address the real threats to the organization. Therefore, to ensure that CTI sourced by an organization is effective, it must support an existing threat model.
A key initial part of your review should involve checking whether your organization maintains a threat model, whether the CTI sourcing strategy adds more visibility to that model and whether the combination of both supports effective decision-making when managing risk.
Quality of threat intelligence
Threat and vulnerability information originates from a variety of internal and external sources and is often ingested manually or through automation by the user organization.
Externally, sources include commercial CTI vendors, industry/community collaboration forums, and security product/vendor intelligence feeds. Internal sources include proactive vulnerability scanning, network monitoring and behavioral analysis tools.
Whether derived internally or externally, the quality of CTI is critical for it to effectively contribute toward improving an organization’s cyber security posture.
According to leading threat intelligence expert Sergio Caltagirone, the quality of threat intelligence is determined by four factors: completeness, accuracy, relevance and timeliness. Each of these factors is described briefly below:
- Completeness – Visibility of the organization’s threat model could provide a view on the completeness of CTI. Threat models will help the organization to ask the right questions of CTI data.
- Accuracy – A high number of false positives in an intelligence report infers poor quality CTI. A consistent trend of false positives may require further investigation.
- Relevance – The more organizational and industry context that is available within CTI, the more useful it is. More weight should be given to internally sourced CTI which reflects the nuances of an organization over externally sourced CTI which may be generic and may lack context.
- Timeliness – CTI is only effective if it can be applied in an operational context to address current threats facing an organization.
Start by obtaining a list of your organization’s internal and external sources and reviewing them against each of these factors.
Integration with security monitoring
There are many use cases for CTI. According to the 2017 SANS Institute Cyber Threat Intelligence report, the top use case for CTI was in security operations, as 72% of respondents say they use CTI information when detecting potential cyber security events and locating sources and/or blocking malicious activities or threats.
An effective security monitoring strategy is one which correlates and analyzes data from multiple sources to detect threats before they can cause harm to the organization. Leveraging available CTI is one way to ensure the optimal use of security operations resources by focusing monitoring efforts on indicators of compromise that pose the highest risk.
Conduct a review of security monitoring procedures to determine how much CTI influences monitoring strategies.
Integration with incident response
Improving visibility into threats and attack methodologies is vital to an organization’s ability to respond to incidents. Effective CTI provides insight into the intent, opportunity and capability of a cyber-attacker. It is this insight which gives an organization some assurance that it can deploy appropriate defense mechanisms to prevent a successful attack.
As part of your review, assess the degree to which CTI is integrated with the steps in your organization’s incident response approach, including preparation, detection, analysis, containment, eradication and recovery.
Measuring the impact of incidents
A post-mortem review of security incidents could give an organization insight into what worked well (and what did not) during incident detection and response and help to identify improvement opportunities.
It is worth reviewing security incidents to determine whether the use of CTI in security monitoring and incident response played a significant role in areas such as detecting unknown threats, reducing time to identify and respond to threats, and preventing significant damage to systems and data.
An assessment of the relevance of CTI to reducing the impact of security incidents could provide a view on which intelligence sources provide the best value to the organization and deserve continued investment.
The value of CTI to any organization is in its ability to support timely decision-making by stakeholders including executive management, corporate security, security operations and risk teams.
Regardless of which cyber security functions it is applied to, this is the key consideration to remember when conducting a review of the design and operating effectiveness of CTI processes.
(This post originally appeared on the ISACA blog, which can be viewed here).