Getty Images/iStockphoto
CISOs on how to improve cyberthreat intelligence programs
Organizations need to take a focused approach to gain visibility into targeted threats for cyber-risk mitigation and incident response.
The more things change, the more they stay the same -- even when it comes to cyberthreat intelligence.
Two years ago, TechTarget's Enterprise Strategy Group conducted research into how organizations were managing their cyberthreat intelligence programs. We surveyed 380 cybersecurity professionals involved with or knowledgeable in this area.
When asked to identify their top cyberthreat intelligence challenges, survey respondents pointed to the following issues:
- Overly technical threat intelligence reports. This a problem because threat intelligence requirements should start by identifying risks to critical business assets, such as regulated data, intellectual property or key operational technologies used in areas like manufacturing, energy production or patient care. To gather and analyze the right data, threat intelligence analysts then need business input and continuous feedback. Overly technical reports that businesspeople can't understand are antithetical to building this necessary collaborative communication.
- A lot of threat intelligence noise. When it comes to cyberthreat intelligence, many cybersecurity professionals operate under a more-is-better mindset. Consequently, organizations become buried in threat intelligence data, making it difficult to find valuable insights. Threat intelligence noise translates to wasted time, false positives and inefficiencies galore.
- A focus on indicators of compromise rather than more strategic use cases. Many organizations equate threat intelligence and IOCs with the goal of blocking malicious files, web domains and IP addresses. I would refer these folks to the Pyramid of Pain -- a model that articulates that adversaries can easily change these attack tactics, so blocking today's IoCs isn't effective over time. To make cyberthreat intelligence more strategic, it must help organizations learn about the tactics, techniques and procedures (TTPs) cyberadversaries use in targeted attacks so they can assess defenses, find weaknesses and implement the right countermeasures.
- An overwhelming volume of threat intelligence. This also fits into the more-is-better mentality. Cyberthreat intelligence analysis isn't about data volume; it's about analyzing the threat intelligence data relevant to an organization's industry, location, business processes, etc.
- Few, if any, personnel with threat intelligence skills. This is true across many, if not most, organizations. According to research from Enterprise Strategy Group and the Information Systems Security Association, 65% of organizations have been impacted by the cybersecurity skills shortage, especially in specialized areas such as threat intelligence analysis. CISOs must understand that hiring experienced threat intelligence analysts could be next to impossible.
Why am I bringing up 2-year-old data? Based on several recent CISO interviews, it appears not much has changed. In fact, the CISOs I spoke with suggested that things might be getting worse. They also complained about the price of threat intelligence and the need to look beyond traditional threat intelligence sources into areas such as social media monitoring, digital risk protection -- i.e., safeguarding digital assets and brand reputation -- and aligning threat intelligence with physical security.
How to improve your cyberthreat intelligence program
Threat intelligence weaknesses are quite a conundrum for organizations. Most recognize the need to bolster their cyberthreat intelligence programs but lack the skills or strategies to do so. What can be done to bridge the gap? CISOs I recently interviewed offered the following suggestions:
- Use the Mitre ATT&CK framework. The Mitre ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Without going into too much data, the framework can help organizations better understand adversary TTPs so they can then build detection rules and fine-tune their security controls.
- Invest in training. Since hiring cyberthreat intelligence specialists probably isn't possible, send ambitious cybersecurity staffers to training courses. The SANS Cyber Threat Intelligence training is a good place to start.
- Look for curated cyberthreat intelligence feeds. Rather than boil the threat intelligence data ocean, evaluate vendors -- such as Mandiant, Recorded Future, Ticura and ZeroFox -- that offer curated cyberthreat intelligence data feeds, tailored to an organization's location, industry and size.
- Work with service providers. Managed security service providers and managed detection and response service providers must build cyberthreat intelligence analysis expertise in support of their business. Many are using this in-house proficiency to offer threat intelligence analysis as a service. Note that organizations still need to provide input into their business risks and IT infrastructure so service providers can tailor their services accordingly. Organizations also need to put processes in place to respond to threat reports with the right resources and countermeasures.
- Adopt a threat-informed defense. As Sun Tzu said, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat." From a cybersecurity perspective, organizations should view their company, IT infrastructure and security controls from an adversary perspective and then use this knowledge to reinforce their defenses. Smart CISOs with a belt-and-suspenders mentality will also battle test their defenses with continuous penetration testing and red teaming.
Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.