In this article, we will describe a first step towards building a cyber threat intelligence (CTI) capability using the resources you already have. Our goal is not to explain all that's required for full CTI capability but to explain just enough to get you started – for real.
Specifically, we'll introduce you to the concept of defining your intelligence requirements. This is the process of identifying the questions you seek answers to and the problems you're trying to resolve. Therefore, before you begin, it's important that you have thought long and hard about the questions you want to ask – and the problems you want to solve.
We'll initially spend a few moments defining the problem area – the desired end state of your cybersecurity program.
What capability are you trying to build? What questions should your CTI be able to answer? Comprehending the problems is the first step towards defining your intelligence requirements.
But why should anyone attempt to build CTI capability in the first place? Should they even care about such a capability? Since you're already here, it's probably fair to say that your interest in CTI is at least heightened, but let's briefly touch upon the importance of establishing CTI capability.
Understanding the Essence of Intelligence
Intelligence, at its core, is about providing you with a knowledge advantage. This knowledge advantage will enable you to direct your resources where they are most effective. Intelligence can also be described as a tool for prioritization.
Many organizations are operating with limited resources and thus have the fundamental task of prioritizing all the potential activities and initiatives that could possibly strengthen their defensive capabilities.
Intelligence provides you with answers and helps you determine how to make these prioritizations. For example, you can use intelligence to explain which defensive techniques you should implement and which software vulnerabilities to patch first. The advantage we gain from having access to timely and actionable intelligence enables a more appropriate, justified, and real-world-based response to cyber attacks.
What's a Knowledge Advantage?
So, what exactly does a knowledge advantage look like? Consider this: You've got a limited budget, resources, and time, but you must do something to defend your organization. What should you do?
Let's turn to our future CTI capability. We might ask something like this: Over the past three months, which techniques were most commonly observed to provide attackers with initial access?
You might receive an answer something along these lines: 45% of all observed attacks leveraged known vulnerabilities in publicly exposed internet servers; another 30% used mass-mailed phishing with Excel/Word macro-enabled documents.
That right there is your knowledge advantage − knowing that 45% of all observed attacks could have been prevented by patching known vulnerabilities. The priorities are clear; you know what to do.
We could continue asking questions such as: Which vulnerabilities were abused most often? What about attacks against our industry/sector or specific attacks against us as an organization?
Defining Your Problem Area
Alright, we've got the essence of intelligence down; a knowledge advantage and tool for prioritization enabling a defensive capability rooted in insights about real-world cyber attacks.
Intelligence is not produced in a vacuum, absent of a surrounding environment with its own set of constraints, expectations, and possibilities. The surrounding environment is not only your organization but also the industry you're in, the country you're in, the partners you have, the organizations you're conducting business with, and quite obviously, all potential adversaries operating in the cyber realm.
This environment, or problem area, provides the boundaries within which your intelligence capability will attempt to provide answers. Before we begin, you need to ask yourself what problems you're trying to solve. Without setting a direction, without first clarifying what issues we're trying to solve, our CTI capability is going to be rather lackluster, and most of all, likely quite ineffective.
Before continuing to read, ask yourself what specific outcomes you believe a CTI capability will help you achieve. What specific results and effects are you looking for? Think about that for a moment, and ideally, write it down or make a few notes somewhere. And yes, these are hard questions with no obvious answers.
Defining Your Intelligence Requirements
An intelligence requirement (IR) is the embodiment of your priorities, the knowledge you seek to attain and have deemed essential to effectively protect your organization. Intelligence requirements are about what matters to you and perhaps equally what should matter to you. You must be clear about what you don't know and want to know.
What intelligence questions should I ask? How do I know? There are no easy answers to these questions. It comes down to how well-versed you are at actually asking questions (yes, it's most definitely a skill) and your experience and knowledge regarding cybersecurity.
Essentially you might start with an overarching question along the lines of: What am I trying to achieve with my cybersecurity program? Let's begin with the end in mind.
Begin With the Outcome in Mind
Instead of discussing outputs such as specific products, reports, or services, let's talk about the business outcome we're hoping to achieve. Here are a few examples of how that might look.
Outcome: We want to prioritize and implement countermeasures based on real-world insights about cyber attacks.
We want to achieve an outcome where defensive countermeasures are prioritized based on real-world insights about cyber attacks. We begin with the end in mind. What's the state you want to find yourself in? To reach this desired state, what outcomes would you need to achieve?
For argument's sake, here's another outcome.
Outcome: We can continuously adjust and adapt our defenses based on attackers' shifting techniques and tactics.
You may want to connect specific metrics to these statements to enable measurement and actually know when the state has been achieved, but that's for another time.
Working Backwards From the End
Achieving these outcomes will require multiple, specific activities that are either ongoing or performed once. The desired outcomes mentioned above need to be broken down into smaller and more manageable components. To adapt our defenses, it seems likely that we would need to see what the attacker sees. You would require visibility of your digital footprint − the assets (servers, applications, and services) you expose to the internet.
Activity: Continuously enumerate, identify, and produce a list of currently publicly accessible and active assets across our organization.
And now you're perhaps finally ready to be asking some more specific intelligence questions and state your requirements.
This IS the Knowledge You're Looking For
You're trying to be more objective about your security efforts and make prioritizations and decisions based on real-world cyber attacks. You might then ask:
- Intelligence requirement: What techniques are attackers most likely going to use against us to establish an initial foothold?
- Intelligence requirement: Which of our internet-connected assets are most likely to suffer a successful breach within the next six months?
- Intelligence requirement: Are we exposed to any vulnerabilities currently being exploited in the wild?
This is what you might ask your CTI capability to help you answer. Not having access to such a capability shouldn't stop you, though; ask your cybersecurity engineers.
Bringing It All Together
Let's wrap up what you've read so far. The cyber threat intelligence capability you're trying to build is about giving you a knowledge advantage and using this advantage to defend against adversaries more effectively. The very first step in building your CTI capability is thoroughly understanding the questions you're trying to answer, thus defining your problem area.
Having defined your problem area, you visualize or try to imagine the desired state of your cybersecurity program related to CTI capability. You may want to make accurate priorities regarding countermeasures based on real-world insights about cyber attacks. Finally, you define the knowledge you seek to attain by defining your intelligence requirements.
Having defined your requirements, you're ready to take the next step towards data and information collection and analysis.
Journey Towards Comprehension of Cyber Attacks
Defining your requirements is the first step you need to take, and it's an important one. The next step on your journey towards comprehending cyber attacks and knowing how to respond is about processing your intelligence requirements, deriving essential elements of information (EEIs), and commencing with data collection.
The very first step in building a cyber threat intelligence capability is defining the issues you're trying to solve with such a capability. You do it by first determining your desired outcomes and mapping several specific activities to these outcomes. Next, you'll define specific intelligence requirements that embody your priorities and can be mapped to the desired outcomes of your cybersecurity program.