Companies must be on the same page to achieve strategic & tactical CTI management
Article by ThreatQuotient APJC regional director Anthony Stitt.
The threat intelligence landscape is dynamic. A threat intelligence platform (TIP) enables organisations to adapt to changes as new standards emerge, and as other systems change how they create or use cyber threat intelligence (CTI).
Simply buying some CTI data sets and a platform to manage them will likely improve malicious detection and blocking — but to be genuinely effective, the program must align to an organisation’s intelligence requirements via a well-founded threat model.
Intelligence requirements come from collaboration across the organisation’s intelligence stakeholders. This includes the CTI team, security operations centre (SOC), incident response (IR), and broader business stakeholders. The threat model process should document the assets most valuable to the business and the threats most likely to impact them.
The threat model should include a collection management framework (CMF), which describes:
- The threat data required and how it can be used (intelligence plan)
- The internal sources of data from priority assets to be monitored (collections plan)
- The analytics required to detect priority threats against priority assets (analytics plan).
Each of these intelligence stakeholder groups uses threat data for a mix of popular use-cases. This can include threat hunting, incident response, triage and defence management.
An effective CTI program requires the alignment of people, processes and technology. The CMF strategically aligns technology using a threat model to guide a collections plan for the SIEM, an intel plan for the TIP, and an analytics plan for the defences.
Frameworks like MITRE ATT&CK have become popular because they help map threat models to lists of intelligence, data sources and analytics. For example, the ATT&CK Navigator will tell you, for any given adversary, the types of behaviours this adversary uses, the best data sources to check for this activity, and sample analytics to detect them.
ATT&CK requires a workable threat model. To help with this, frameworks like MITRE ATT&CK include lists of threat actors and information that might help choose the ones most likely to attack an organisation’s priority assets based on the threat’s capabilities and focus.
Only a limited set of threat actors will be relevant to an organisation. In part, a threat intelligence program matches intelligence with observed activity, which means it is equally dependent on the intelligence as it is on the sources of observations from the organisation’s environment. For example, SHA-256 malware file hash indicators of compromise (IoCs) are not very useful if there is no way to correlate them with what is running on endpoints.
Similarly, collecting intelligence for the sake of it may increase the detection rate, but is also likely to increase noise and false positives. Planning the right intelligence to collect is a critical first step to ensuring the security has the most accurate data they need.
Several questions need answering at this stage, including ‘what does the business want to achieve with threat intelligence collection?’ ‘Which stakeholders will use it?’ ‘How will they use it?’ The organisation will need to determine what type of intelligence will best support their use-cases and how they will validate this data.
Threat intelligence isn’t scarce. There are many open sources from which to collect data. Then there are industry bodies that establish communities to share intelligence, or a business may have a direct relationship with another organisation to share intelligence.
As a general rule, the most accurate and most relevant intelligence will come from organisations you have a trusted relationship with. Commercial intelligence providers have dedicated analysts who validate and curate intelligence before it gets published for consumption, but it may not be relevant to the organisation. Open source intelligence, depending on where it comes from, may require further validation and the addition of contextual information to make use of it. Every case is different, and it is valuable to review intelligence sources periodically.
Ultimately, the ability of the response team to brief the organisation’s board members about the threat landscape can help foster an organisation-wide culture that is aligned on the usefulness of investing in CTI management for multiple use cases and departments.