#4 on our list of “Top 20” SOC Capability Areas switches focus from “Know Your Self” to the “Know Your Adversaries” challenge – Cyber Threat Intelligence. It is no silver bullet; but understanding your adversaries’ intent, capabilities, and behaviors will inform the spectrum of decisions your Security Operations team makes (both manually and automatically) on a daily basis.
Cyber Threat Intelligence capabilities (e.g., feeds and platforms) have become increasingly more commonplace in Security Operations in recent years. What was originally accomplished using homegrown capabilities relying on open source collection and shared intelligence, has become a large and growing market of commercial offerings, and communities (ref. Information Sharing and Analysis Centers).
Traditionally, smaller/emerging Security Operations teams have not initially invested in such capabilities. Primarily because they typically cannot afford a dedicated person that understands how to apply CTI.
However, adding this type of contextual knowledge of one’s likely adversaries is proving to be helpful to Information Security Architects in making proactive decisions regarding what Security Controls to invest in (authentication, authorization, auditing, etc.), and how to configure them.
Further, providing such contextual knowledge to Tier 1 Analysts in real time helps them immediately put an incident into the “bigger picture”, informing their reactive decisions on how best to respond.
Weekly CTI updates may even bolster any Security Awareness program your organization has in place to keep its employees and stakeholders informed on current events in cybersecurity.
Perhaps the most common application of CTI, typical in larger Security Operations environments, is using the data to inform security monitoring and Security Automation & Orchestration capabilities. For familiar, commodity types of threats, CTI data can be used to continuously update automated detection and response capabilities. For advanced, novelty types of threats, CTI can be used to inform the manual hunting process. Caveat emptor - your adversaries have access to the same CTI platforms and feeds that you do, and they can (and do) actively use that knowledge to distract and misdirect your limited resources.
Before committing to any CTI investments, you should have a good understanding of exactly who on your Security Operations team will be using the intel, what "intelligence requirements" they have, and what constitutes “success”. Having people and processes in place first will insure your CTI investments are practical and productive.
On implementing Cyber Threat Intelligence capabilities, solutions should address the comprehensive threat landscape, should address the complete cyber “kill chain”, and should adhere to maturing standards like STIX and TAXII to describe and share information about: threat actors and aliases, their campaigns, their behaviors (“TTPs”), threat capabilities [exploit kits, malware, botnets, C2, etc.], related indicators of attack (IOA) and compromise (IOC), and even threat intel on specific aspects of the internet [suspicious autonomous systems, malicious domains, malicious URLs, malicious IP addresses/ranges, etc.].
This article barely scratches the surface of the need for Cyber Threat Intelligence capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Cyber Threat Intelligence capabilities to support your own Security Operations efforts.