In recent years, the cyber-threat intelligence market has witnessed an increase of activity in three key areas. Firstly, various new providers have emerged and focused their attention on the topic, resulting in an increased supply of intelligence and technology vendors. Additionally, there are more external drivers motivating organisations to strengthen cyber-defences, such as legislation and government incentives. Finally, and most significantly, there has been a wide adoption of industry standards – STIX and TAXII – in managing cyber-threat intelligence.
These three areas have created a positive stimulus for organisations to tap into open, commercial and community sources of cyber-threat intelligence. Many businesses are quickly becoming active consumers of threat intelligence. For the first time, they have instant access to a wide variety of data and intelligence sources, encompassing threat intelligence about generic threats as well as targeted threats aimed at a single organisation, industry or country.
Intelligence: too much of a good thing
For organisations and governments around the globe, sorting through and fusing together multiple threat intelligence feeds is a challenge that introduces several new risks and exposures. For example, suppose you suffer a breach, and it later becomes apparent that you failed to act upon clear intelligence on an emerging threat that had been lost in the noise. An incident like this may involve legal challenges, particularly with regulators pushing for board-level accountability on cyber-security outcomes.
To understand the threat landscape, you need to combine and contextualise threat intelligence from multiple different sources, which becomes much harder as you incorporate more threat intelligence feeds. Organisations don't necessarily have to become experts in assessing the priority, relationships, validity, or data quality of threat intelligence. Their focus should be on understanding their threat reality and turning insights into business value.
Organisations have become highly reliant upon direct feeds from multiple intelligence sources to protect their perimeter defences, to respond to breaches, and to inform front-line personnel about defensive measures. From there, it's essential that organisations capture the instant insights of the intelligence community while relying upon specialised experts to perform triage on the deluge of incoming data.
A network of knowledge
Consolidation in the intelligence community is already happening. And the very same industry standards (STIX and TAXII) that enable organisations to tap into the intelligence community also make it easier for intelligence professionals to exchange information among themselves. Businesses need to exploit this opportunity by offloading the exchange, fusion and qualification of threat intelligence elsewhere so they can focus on what matters for them.
There's no reason for organisations to duplicate the work already being done by the intelligence community. By tapping into industry-focused communities, geographically-focused communities and commercial fusion centres, organisations can let the intelligence community do the hard work.
For example, a small European bank may get almost the entirety of its threat intelligence from an FS-ISAC (information sharing and analysis centre) and national cyber-security centre (NCSC) in its home country. However a global bank may go further afield with commercial fusion centres, designed to exchange and fuse threat intelligence from commercial and open sources, to supplement for specific geographies and lines of business. As such, an organisation only needs to manage a limited set of “bundled and processed” intelligence feeds, instead of managing each separate feed individually.
Threat analysts should be dedicated to understanding their threat landscape and working closely with the organisation to deter, defeat or prevent disruption and impact from cyber-threats. In addition, threat analysts should be encouraged to contribute to their respective communities by confirming observations, reporting sightings of specific attack types and sharing details of new threats as they emerge. Industry standards STIX and TAXII make it easy for such information to propagate across communities to the benefit of all participants.
The “community-of-communities” approach
Making the most of the intelligence work done by the specialist community enables an organisation to focus its scarce resources to its actual mission: analysis, determination of defensive actions and stakeholder management. Through this approach, the organisation can more easily manage and process a multitude of separate cyber-threat intelligence feeds.
To prepare for the “community-of-communities” future of threat intelligence, you should firstly evaluate your threat intelligence requirements and understand internal stakeholders' needs. It's important to distinguish between generic threats and sector-specific or geographic threats affecting your respective communities, as well as targeted threats specific to your organisation.
Secondly, establish your planning assumptions. Estimate when you expect industry and regional communities to evolve to the point where you can rely upon them to deliver intelligence that covers the bulk of your organisation's threat exposure.
Thirdly, building or acquiring a dedicated threat intelligence practice is key. You will need a standards-compliant threat intelligence platform, along with threat analysts who understand your industry well enough to establish processes that translate incoming intelligence into action. Alternatively, find a partner who can take on these responsibilities on your behalf.
It's also important to benchmark your progress. Do you have fully automated updating of endpoint devices? How long does it take to respond to a threat or a breach notification? Determine where you can improve response speed through automation and boost response effectiveness through end-user training. Keep track for budgeting and performance reporting.
And finally, share your insights. The “community-of-communities” approach requires your active participation for it to succeed. Join in, attend events, and contribute what you learn about new threats as they evolve.
Contributed by Joep Gommers, CEO, EclecticIQ
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.