Threat intelligence has come a long way from its humble beginnings, and none too soon. The nature and number of cybercriminals have expanded greatly, their methods are multiplying and their potential harm continues to increase. For those of us on the front lines, it sometimes feels like we’re running out of thumbs to plug the dike. To change this dynamic, we have to take threat intelligence even further, going beyond rapidly identifying and validating potential threats to making the steps to take action against those threats more immediately available.
The novelty of “dark web” visualizations and data feeds is tapering off as executives begin to realize that eye-catching graphs and expensive —but often poor quality —data feeds are largely ineffective when they overwhelm intrusion analysts with false positives and provide no context as to why a specific domain or IP address has been flagged as malicious. Intelligence that is not actionable is, for all practical purposes, simply a distraction. Indeed, it’s all well and good to identify exfiltration of sensitive consumer data or theft of intellectual property—it’s clearly better to know than not—but the end goal must be to stop cybersecurity incidents and prevent recurrence in real time.
To be sure, the private and public sectors are taking a number of steps to make progress on this front. For example, new Information Sharing and Analysis Organizations (ISAOs) hold the promise of rapidly accelerating the sharing of actionable intelligence and broadening the scope of those who receive it. But companies should not put all their eggs in one or two baskets. Organizations should make sure they have in-house or external expertise in four areas:
- The ability to surface meaningful, validated intelligence;
- The ability to assess and assign the organizational impact of that intelligence;
- The ability to identify what actions to take to mitigate the threat; and
- The ability to take technical, legal or operational action.
These are four distinct skill sets and as such require a multidisciplinary team. For example, an intelligence-aware organization might pull together a fusion cell that is assembled with the express mission to receive, review and execute cyberthreat intelligence. The fusion cell often consists of a lead intelligence analyst, legal counsel, a risk manager, a Security Operations Center (SOC) representative (if available) and a network security professional. Collectively, this group can determine if a threat merits action and execute a tailored response. If severe enough, the fusion cell should have an established path to escalate a recommendation of specific action to the CISO.
The cyberthreat equivalent of the question “What keeps you up at night?” is whether you’re capable of and prepared to take action. If the answer is “No,” and your organization cannot act organically, ensure your service provider has the technical and legal expertise required to fill the action gap.