Enjoying our content? Subscribe:
DIY Strategic Threat Intelligence - Part 1. Threat Management Cycle
Defending the organization in today's dynamic environment is like windsurfing, where the surfer has to be on the right edge of the wave. We have to act not too early nor not too late. Let's assume we decide to cut on excessive expenses and reduced our cybersecurity investment. Now, if we suffer a cyberattack, this decision can result in huge losses for shareholders — and for management and CEO, this might mean the loss of position or even career.
Surfing training prioritizes understanding the situation around, which is called strategic threat intelligence in the digital world. We should clearly understand who and how threatens our organization, what are the capabilities and motives of potential adversaries, and what are other enterprises doing in the field of information security.
Otherwise, it is difficult to keep to that very necessary part of the wave and achieve the only possible state of real security — better protection from current threats than same of peers. If we understand this, it will be more profitable for attackers to attack other organizations, just like in the well-known anecdote that a hunter should only be able to outrun a colleague, as he cannot outrun a bear.
Without trying to reinvent the wheel, let's build our cyber intelligence system based on the practices of one of the leaders of the digital world - Intel, since they were described and presented to the general public back in 2012. We will supplement them with the methods of "avoiding the bear" — information security benchmarking and the practices of daily monitoring of the security of corporate IT landscapes of the largest oil and gas and high-tech companies.
The resulting cyber intelligence system will provide us with real data on what threats, vulnerabilities, and tactics are used in this domain worldwide, what incidents and attack markers are in our network, and what threats our industry colleagues are fighting against. As a result, based on this data, we will receive an answer to the question of when and what kind of threat should be dealt with.
What is strategic threat intelligence?
It is clear that if a certain threat is active in the outside world, we see attacks on our network, and industry colleagues are already fighting against it, then we need to analyze how this threat can affect the business. On the other hand, even a thousand articles in the press about all sorts of "super-duper-viruses", "giga-mega-vulnerabilities" and "viciously harsh-regulators" should not worry us if, having a developed cyber threat intelligence system, we do not see real threat activity in the outside world, its activity in our network and projects to reduce the risks associated with it from competitors.
Thus, having mastered surfing on one wave type (in the digital world — a threat), you can learn to see different waves and move from one to another, not only preventing the ninth wave of an attack that is critical in terms of consequences, but also facilitating discussion with the business of funding and support for IS initiatives.
Most organizations are already engaged in cyber threat intelligence to some extent, and below we will describe how such a seemingly exotic and complex subject can be implemented with few resources while maintaining the potential for scalability, increased coverage, and accuracy of the process.
Since the topic is quite extensive and deserves a whole book, in this article we will restrict ourselves to the main elements of a cyber intelligence program:
The topic of threat management has been discussed for years, including the term itself: how can you control forces that seem to be external to the organization? However, for decades, mankind has been managing emergencies based primarily on monitoring their occurrence and applying proactive measures to prevent them where possible (for example, strengthening the banks of mountain rivers in order to prevent floods).
In 2012, in his book Managing Risk and Information Security: Protect to Enable, Malcolm Harkins, Vice President and Director of Security and Confidential Information, Intel Corporation, described the original threat lifecycle model (similar to the Intel product lifecycle model)...
The model he created combines information about the development of threats, a structured approach to assessing the timeliness of the deployment of security measures, and an orientation towards monitoring external sources. Malcolm's career path likely influenced this model, as it included the positions of head of competitive intelligence and IT benchmarking, as well as financial manager of Intel's global IT service among other things.
Harkins' model includes five phases of threat development:
We've adapted Harkins' model to create a more holistic, comprehensive, and industry-specific integrated threat monitoring model. Naturally, this model is more designed to identify the development of the landscape of the threat of mass attacks, tactics, and tools of cybercrime. It is based on an assessment of our hypotheses about the relevance of a particular type of threat based on a set of indirect indicators.
"Embryo" threat development stage
Hypothesis: there is a possibility of a new threat — a new type of attack or exploit, which is very difficult to implement by any measure.
Potential intruders: intelligence services or cyber troops of foreign countries.
External indicators: the threat is being discussed at the conference, but there is no practical implementation yet.
Internal indicators: the organization has potentially vulnerable information assets (systems, contractors, etc.).
Benchmarking indicators: Competitors are discussing a threat.
"Baby" threat development stage
Hypothesis: there is a possibility of a new threat — a new type of attack or exploit, the implementation of which is difficult by any measure.
Potential intruders: Additionally to the previous, cyber mercenaries (targeted attacks).
External indicators: Confirmation has been demonstrated, but all the details and tools for the attack are not publicly available.
Internal indicators: the organization has potentially vulnerable information assets available at the perimeter (network perimeter, workstations, contractor connections, BYOD) or business-critical (containing intellectual property, processing and storing customer data, external financial statements, etc.).
Benchmarking indicators: Competitors have begun to assess the impact of a potential attack on the business.
"Child" threat development stage
Hypothesis: there is a possibility of a new threat — a new type of attack or exploit, the implementation of which has an average degree of complexity.
Potential intruders: Additionally to the previous, organized cybercrime.
External indicators:
"Teen" threat development stage
Hypothesis: there is a possibility of a new threat - a new type of attack or exploitation, the implementation of which has a low degree of complexity.
Potential intruders: Additionally to the previous, massive cybercrime.
External indicators:
"Adult" threat development stage
Hypothesis: the cyber threat landscape has been replenished with another threat, tactics and vulnerabilities are actively used in attacks on organizations.
Potential intruders: additionally to the previous, hacktivists and hooligans.
External indicators: Exploits and attack methods are widely available and cheap, press reports of successful breaches, customer complaints.
Internal indicators:
In the next following part we described how to implement threat intel framework.
Surfing training prioritizes understanding the situation around, which is called strategic threat intelligence in the digital world. We should clearly understand who and how threatens our organization, what are the capabilities and motives of potential adversaries, and what are other enterprises doing in the field of information security.
Otherwise, it is difficult to keep to that very necessary part of the wave and achieve the only possible state of real security — better protection from current threats than same of peers. If we understand this, it will be more profitable for attackers to attack other organizations, just like in the well-known anecdote that a hunter should only be able to outrun a colleague, as he cannot outrun a bear.
Without trying to reinvent the wheel, let's build our cyber intelligence system based on the practices of one of the leaders of the digital world - Intel, since they were described and presented to the general public back in 2012. We will supplement them with the methods of "avoiding the bear" — information security benchmarking and the practices of daily monitoring of the security of corporate IT landscapes of the largest oil and gas and high-tech companies.
The resulting cyber intelligence system will provide us with real data on what threats, vulnerabilities, and tactics are used in this domain worldwide, what incidents and attack markers are in our network, and what threats our industry colleagues are fighting against. As a result, based on this data, we will receive an answer to the question of when and what kind of threat should be dealt with.
What is strategic threat intelligence?
It is clear that if a certain threat is active in the outside world, we see attacks on our network, and industry colleagues are already fighting against it, then we need to analyze how this threat can affect the business. On the other hand, even a thousand articles in the press about all sorts of "super-duper-viruses", "giga-mega-vulnerabilities" and "viciously harsh-regulators" should not worry us if, having a developed cyber threat intelligence system, we do not see real threat activity in the outside world, its activity in our network and projects to reduce the risks associated with it from competitors.
Thus, having mastered surfing on one wave type (in the digital world — a threat), you can learn to see different waves and move from one to another, not only preventing the ninth wave of an attack that is critical in terms of consequences, but also facilitating discussion with the business of funding and support for IS initiatives.
Most organizations are already engaged in cyber threat intelligence to some extent, and below we will describe how such a seemingly exotic and complex subject can be implemented with few resources while maintaining the potential for scalability, increased coverage, and accuracy of the process.
Since the topic is quite extensive and deserves a whole book, in this article we will restrict ourselves to the main elements of a cyber intelligence program:
- threat management cycle;
- sources of external threat intel;
- sources of internal threat intel;
- benchmarking intel;
- legal aspects.
The topic of threat management has been discussed for years, including the term itself: how can you control forces that seem to be external to the organization? However, for decades, mankind has been managing emergencies based primarily on monitoring their occurrence and applying proactive measures to prevent them where possible (for example, strengthening the banks of mountain rivers in order to prevent floods).
In 2012, in his book Managing Risk and Information Security: Protect to Enable, Malcolm Harkins, Vice President and Director of Security and Confidential Information, Intel Corporation, described the original threat lifecycle model (similar to the Intel product lifecycle model)...
The model he created combines information about the development of threats, a structured approach to assessing the timeliness of the deployment of security measures, and an orientation towards monitoring external sources. Malcolm's career path likely influenced this model, as it included the positions of head of competitive intelligence and IT benchmarking, as well as financial manager of Intel's global IT service among other things.
Harkins' model includes five phases of threat development:
- theoretical research;
- experimental research;
- proof of concept (PoC);
- the exploitation of a vulnerability;
- commoditization of vulnerability.
We've adapted Harkins' model to create a more holistic, comprehensive, and industry-specific integrated threat monitoring model. Naturally, this model is more designed to identify the development of the landscape of the threat of mass attacks, tactics, and tools of cybercrime. It is based on an assessment of our hypotheses about the relevance of a particular type of threat based on a set of indirect indicators.
"Embryo" threat development stage
Hypothesis: there is a possibility of a new threat — a new type of attack or exploit, which is very difficult to implement by any measure.
Potential intruders: intelligence services or cyber troops of foreign countries.
External indicators: the threat is being discussed at the conference, but there is no practical implementation yet.
Internal indicators: the organization has potentially vulnerable information assets (systems, contractors, etc.).
Benchmarking indicators: Competitors are discussing a threat.
"Baby" threat development stage
Hypothesis: there is a possibility of a new threat — a new type of attack or exploit, the implementation of which is difficult by any measure.
Potential intruders: Additionally to the previous, cyber mercenaries (targeted attacks).
External indicators: Confirmation has been demonstrated, but all the details and tools for the attack are not publicly available.
Internal indicators: the organization has potentially vulnerable information assets available at the perimeter (network perimeter, workstations, contractor connections, BYOD) or business-critical (containing intellectual property, processing and storing customer data, external financial statements, etc.).
Benchmarking indicators: Competitors have begun to assess the impact of a potential attack on the business.
"Child" threat development stage
Hypothesis: there is a possibility of a new threat — a new type of attack or exploit, the implementation of which has an average degree of complexity.
Potential intruders: Additionally to the previous, organized cybercrime.
External indicators:
- PoC in public access;
- reports about the implementation of the threat.
- the organization has potentially vulnerable information assets;
- the lack of fixes from the manufacturer or the impossibility of installing them;
- triggering of Indicators of Compromise (IoC) characteristic to a threat — interaction with external resources, YARA rules created on the basis of PoC;
- triggering antiAPT solutions in the late stages of an attack.
"Teen" threat development stage
Hypothesis: there is a possibility of a new threat - a new type of attack or exploitation, the implementation of which has a low degree of complexity.
Potential intruders: Additionally to the previous, massive cybercrime.
External indicators:
- exploits were found in the public access;
- reports about the implementation of the threat.
- the organization has vulnerable information assets;
- the lack of fixes from the manufacturer or the impossibility of installing them;
- triggering of IoС, antiviruses, IDS (Intrusion Detection System) characteristic to a threat;
- triggering anti-APT solutions in the late stages of an attack.
"Adult" threat development stage
Hypothesis: the cyber threat landscape has been replenished with another threat, tactics and vulnerabilities are actively used in attacks on organizations.
Potential intruders: additionally to the previous, hacktivists and hooligans.
External indicators: Exploits and attack methods are widely available and cheap, press reports of successful breaches, customer complaints.
Internal indicators:
- the organization has vulnerable information assets;
- triggering of IoС, antiviruses, IDS characteristic to a threat;
- triggering anti-APT solutions in the late stages of an attack.
In the next following part we described how to implement threat intel framework.
Cyberlands.io Team