Joining the Dots: How to Optimize Cyber Threat Intelligence for the Win

Written by

Cybersecurity has always been a strategic business enabler. The difference today is that in a post-pandemic world, where organizations are struggling to wrest competitive advantage and battling continued business uncertainty, even the C-suite gets it. An August 2022 PwC study compiled from interviews with over 700 US execs found cyber ranked as the number one business risk – higher than talent acquisition, inflation and rising production costs.

An effective cyber threat intelligence strategy could be the difference between managing this risk successfully and letting malicious adversaries retain the upper hand. But even organizations well supplied with internal data feeds may struggle to obtain the detailed and contextualized external threat information they need to make faster, better informed security decisions. This is a challenge that spans industries and regions. Fixing it will require a similarly expansive and inclusive approach.

The Value of Threat Intelligence

There is emerging a concerning imbalance between network defenders and attackers. On the one hand, security teams are understaffed. The global shortfall of professionals is estimated at 3.4 million, according to (ISC)2’s 2022 Global Workforce study. They’re also struggling particularly inside the security operations center (SOC), where a myriad of siloed point solutions sap productivity, create visibility gaps and spit out an overwhelming volume of alerts. Research confirms that 70% of SOC teams are suffering emotionally as a result.

This comes amidst a flurry of spending on digital transformation both during and after the COVID-19 pandemic. It may have been necessary to support hybrid working, enhance business processes and create new customer experiences, but it’s also expanded the corporate attack surface. Over two-fifths of global firms believe this environment is “spiraling out of control.” With newly published CVEs on track to hit another all-time high in 2022, it’s easy to see why.

On the other side, threat actors continue to innovate. The ransomware-as-a-service (RaaS) model is thriving, earning participants billions of dollars annually. Fraud is also peaking on the back of stolen data, with 2021 another record year for scammers in the US. Plus, as threats from both cybercrime and nation-state actors’ worlds continue to merge, emboldened state actors are broadening their sights. It’s bad news for consumers, companies and governments.

Yet threat intelligence offers a rare opportunity to level the playing field with an agile, determined and increasingly well-resourced adversary. Whether it’s strategic, tactical or operational intel, it promises to unlock greater understanding of threat actor motives, targets and behaviors, with which to drive a more proactive security strategy. In this way, it could help everyone from senior executives as they make high-level strategic decisions to SOC teams looking to prioritize alerts. And fraud teams looking to alert customers with early warning of data theft, to operational teams who want to prioritize CVEs for patching.

The strategic importance of threat intelligence is such that President Biden’s Executive Order in May 2021 includes a lengthy mandate designed to remove information sharing barriers between contracting IT/OT service providers and the federal government.

Collaboration Considerations

Best practice threat intelligence should involve gathering and processing data from a wide variety of sources. These could range from government bodies to non-profits, academia, industry vendors and sector-specific bodies like Information Sharing Analysis Centers (ISACs). The data they hold might vary a great deal – from high-level white papers and presentations to more technical details like attacker tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs).

"Sharing raw and unprocessed threat information puts a lot of the heavy lifting and analysis burden on recipients. Intelligence sharing, by contrast, necessitates sharing far more actionable and easy-to-consume insight."Jamie Collier, senior threat intelligence advisor, Mandiant

Mandiant senior threat intelligence advisor, Jamie Collier, tells Infosecurity that governments have been stepping up in this space over recent years, with efforts led by the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).

“We are also seeing more public-private initiatives that combine the different perspectives held across government and industry. However, regardless of the initiative, it is vital that they remain focused on intelligence sharing rather than information sharing,” he adds.

“Sharing raw and unprocessed threat information puts a lot of the heavy lifting and analysis burden on recipients. Intelligence sharing, by contrast, necessitates sharing far more actionable and easy-to-consume insight. Sharing intelligence rather than information can therefore help to improve security outcomes in a much more tangible and direct way.”

Some mature industries like financial services have pioneered industry collaboration between peers, he argues. However, there are persistent commercial and legal concerns which can become stubborn barriers to progress.

“Unfortunately, sharing intelligence can be looked upon as sharing vulnerabilities or weaknesses, rather than helping others to protect themselves from the same type of cyber-attack. These sensitivities are often reinforced by legal and regulatory factors. The only way to break down this barrier is to build trusted relationships, but that is easier said than done,” Accenture Security cyber investigation, forensics & response lead, Mark Raeburn, tells Infosecurity.

“Taxonomies and nomenclature can also present a huge problem for organizations. Of course, there are obvious benefits to using your own nomenclature for tracking different groups/cyber-threat actors, as it allows you to categorize things in a manner consistent with your own observations rather than those of third parties whose aperture and perspectives may be different. However, this results in a lack of industry-wide consistency, with many organizations feeling like they have to operate and maintain some kind of Rosetta stone.”

This is where adherence to industry-wide standards like STIX and TAXII can help. However, it’s not only external barriers that organizations must break down to enhance threat intelligence, but also internal ones, Forrester principal analyst Brian Wrozek tells Infosecurity.

“Beyond the vast array of technical challenges that are well known, organizational structures and politics hinder collaboration and data sharing,” he argues. “Information is power and people are reluctant to relinquish it. Departments that control information and systems may have competing goals that take priority over threat intelligence sharing, or they may have budget constraints.”

From the Inside Out

In order to tackle these organizational challenges, firms need to embark on cultural change to drive a unified data-centric strategy, Wrozek continues.

"Remember that some use cases can be solved even if the data remains siloed by analysts who can manually connect the dots."Brian Wrozek, principal analyst, Forrester

“Foster collaboration to reduce friction. Identify key requirement use cases to drive data integration solutions and justify new technology investments. Highlight the consequences of the status quo such as incidents that could have been avoided or higher than necessary mitigation costs,” he explains.

“Also, incorporate strong security and privacy controls into the roadmap to protect all this information. Stay focused on the goals you are trying to achieve with your threat intelligence program. Remember that some use cases can be solved even if the data remains siloed by analysts who can manually connect the dots.”

This internal focus can be key, agrees Mandiant’s Collier: “Most intelligence analysts are highly focused on the external threat landscape, yet sometimes neglect putting in the time to understand their own organization. Ultimately, it doesn’t matter how much an analyst knows about the latest cyber-espionage operation if they are unable to connect with the stakeholders in their organizations, understand their challenges and work with them to identify how threat intelligence can make their lives easier.”

“Intelligence teams might be hardwired into disseminating their expertise to various stakeholders, yet high-performing functions should also be spending a lot of time listening too.”

However, ultimately the value of threat intelligence comes from its heterogeneity.

“Different organizations will inevitably have different visibility. This means that there is never going to be one entity that has the best insight. It is instead helpful to see the threat landscape as an area where public and private sector organizations simply have different lenses and perspectives,” Collier concludes.

“Rather than seeing this through silos, security leaders will derive more benefit from building up a strategy of collaborating with organizations which offer complementary and useful perspectives. Forming a collective view of intelligence therefore entails a substantive discussion on the unique perspectives of different parties.”


Five of the best independent threat intel sources

The market for threat intelligence is crowded with competing vendors, some of which offer a free version of their services. However, CISOs will want to complement these with some truly vendor-neutral sources. Here’s an example of some of the most highly regarded, to feed into threat intelligence programs:

  1. ISACs: Sector-specific hubs for critical infrastructure owners and operators.
  2. FBI InfraGuard: Free feeds are categorized by industry and joining provides an opportunity to access more localized intelligence.
  3. VirusTotal: A service which should need no explaining. Aggregates AV and scanning engines to analyze user-submitted files and URLs for malware.
  4. Automated Indicator Sharing (AIS): A CISA service designed to enable participants to exchange machine-readable cyber threat indicators and defensive measures in real time.
  5. Cyber Security Information Sharing Partnership (CISP): A joint industry-government service set up by the NCSC which allows UK organizations to share cyber-threat information in a secure and confidential environment.

What’s hot on Infosecurity Magazine?