As you might know, I am deeply convinced that better threat intelligence allows us to take better security decisions – and I am not the only one making this statement.
I am trying to get my head around threat intelligence since a while now and realized that depending on with whom I talk, they have a different view on it. NSCS helped me with a paper called Threat Intelligence: Collecting, Analysing, Evaluating to get a better understanding where we are and where we need to move to. NSCS differentiates between four subtypes of threat intelligence:
Strategic Threat Intelligence is high-level information, consumed at board level or by other senior decision-makers. It is unlikely to be technical and can cover such things as the financial impact of cyber activity, attack trends, and areas that might impact on high-level business decisions. An example would be a report indicating that a particular government is believed to hack into foreign companies who have direct competitors within their own nation, hence a board might consider this fact when weighing up the benefits and risks of entering that competitive marketplace, and to help them allocate effort and budget to mitigate the expected attacks. Strategic threat intelligence is almost exclusively in the form of prose, such as reports, briefings or conversations.
Operational Threat Intelligence is information about specific impending attacks against the organisation and is initially consumed by higher-level security staff, such as security managers or heads of incident response. Any organisation would dearly love to have true operational threat intelligence, i.e. to know which groups are going to attack them, when and how – but such intelligence is very rare. In the majority of cases, only a government will have the sort of access to attack groups and their infrastructure necessary to collect this type of intelligence. For nation-state threats, it simply isn’t possible for a private entity to legally gain access to the relevant communication channels and hence good operational threat intelligence won’t be an option for many. There are cases, however, where operational intelligence might be available, such as when an organisation is targeted by more public actors, including hacktivists. It is advisable for organisations to focus on these cases, where details of attacks can be found from open source intelligence or providers with access to closed chat forums. Another form of operational threat intelligence that might be available is that derived from activity-based attacks: where specific activities or events in the real-world result in attacks in the cyber domain. In such instances, future attacks can sometimes be predicted following certain events. This linking of attacks to real-world events is common practice in physical security but less commonly seen in cyber security.
Tactical Threat Intelligence is often referred to as Tactics, Techniques, and Procedures (TTPs) and is information about how threat actors are conducting attacks. Tactical threat intelligence is consumed by defenders and incident responders to ensure that their defences, alerting and investigation are prepared for current tactics. For example, the fact that attackers are using tools (often Mimikatz derivatives) to obtain cleartext credentials and then replaying those credentials through PsExec is tactical intelligence that could prompt defenders to change policy and prevent interactive logins by admins, and to ensure logging will capture the use of PsExec Tactical threat intelligence is often gained by reading white papers or the technical press, communicating with peers in other organisations to learn what they’re seeing attackers do, or purchasing from a provider of such intelligence.
Technical Threat Intelligence is information (or, more often, data) that is normally consumed through technical means. An example would be a feed of IP addresses suspected of being malicious or implicated as command and control servers. Technical threat intelligence often has a short lifetime as attackers can easily change IP addresses or modify MD5 sums, hence the need to consume such intelligence automatically. Technical threat intelligence typically feeds the investigative or monitoring functions of a business, by – for example – blocking attempted connections to suspect servers.
I think it is key to understand the value of these different types of threat intelligence and the different stakeholders. Technical and tactical threat intelligence is the life of any SOC as well as the team defining the hardening guidelines. They need to understand what is currently going on and how to handle this in the current infrastructure. In my opinion, there are offerings on the market which start to mature in this context and help you with TTP as well as IOCs. This is kind of the easy part of threat intelligence. It definitely pays off on a daily level and needs to be done in any sound security program. It is not easy but doable.
Much harder is it to land a broader program covering operational and especially stratic threat intelligence as well but it is desperately needed. That’s the only way, to have an understanding of the impact of a business decision on the threat landscape and a broader view of the adversaries. At the end, as a CSO I want initially to understand who is attacking me, why and why now? From there on we can start to get into prediction.
From my point of view it is time to start a threat intelligence program from what you have and grow. That’s the only way to align your defenses and make sure your strategy builds the right bridge between business and technology.
Does somebody already run a broad threat intelligence program with all the four components? What are your experiences?