How do organizations across the United States perform cyber intelligence? A new report from the Software Engineering Institute (SEI) reveals what we’re getting right, where we could improve, and what the future looks like.
In 2018, researchers at the Carnegie Mellon University SEI set out to answer those questions. In a study commissioned by the U.S. Office of the Director of National Intelligence, we conducted in-person interviews with 32 organizations across sectors including commercial facilities, the defense industrial base, financial services, government facilities, healthcare and public health, information technology, and transportation systems. The study report was published in May 2019 and is available for download at https://resources.sei.cmu.edu/asset_files/EducationalMaterial/2019_011_001_546590.pdf.
We based our interviews on the Cyber Intelligence Framework, which we developed during a prior study in 2013. The framework is rooted in the U.S. government’s traditional intelligence cycle and provides a structure for cyber intelligence efforts. We asked organizations about their practices related to each component of the framework:
- Environmental Context: understanding your organization inside and out
- Data Gathering: collecting the right information
- Threat Analysis: assessing technical telemetry and non-technical data pertaining to specific threats to your organization
- Strategic Analysis: holistically assessing threats, risks, and opportunities to organizational vital interests
- Reporting and Feedback: communicating with teams and decision makers
- Human and Machine Teaming: human analysts working effectively with technology to conduct all aspects of cyber intelligence
In analyzing interviewee responses, we identified a number of best practices that can help organizations of all sizes and levels of capability improve their performance:
- Understand the difference between cybersecurity and cyber intelligence
- Establish and follow a defined and repeatable cyber intelligence workflow
- Conduct crown jewel identification exercises
- Leverage NIST NICE SP 800-181 to build your cyber intelligence team
- Create a fusion center
- Establish consistent intelligence requirements and data validation processes
- Use SOAR technologies
- Perform strategic analysis to holistically assess threats, emerging technologies, and geopolitics that may impact the organization and/or provide opportunities for the organization today and in the future
- Have consumers of cyber intelligence reports, especially leadership, provide active feedback to the cyber intelligence team on content, format, and new requirements
- Obtain more compute power and have machine learning engineers, data scientists, and cyber intelligence analysts proactively collaborate to extract intelligence out of data
For more best practices to include actionable steps that can help your organization improve its performance, read the full report at https://resources.sei.cmu.edu/asset_files/EducationalMaterial/2019_011_001_546590.pdf.
During the RH-ISAC’s July Cyber Thursday on July 25, 2019, study lead Jared Ettinger, machine learning research scientist Ritwik Gupta, and cyber security engineer Geoff Dobson will provide insights from the report and practical recommendations for implementing machine learning and cyber threat frameworks for cyber intelligence. This webinar is open to all RH-ISAC Core members and retail and hospitality cybersecurity practitioners eligible for membership. Email [email protected] for registration information.
About the SEI
The Software Engineering Institute is a federally funded research and development center (FFRDC) that works with defense and government organizations, industry, and academia to advance the state of the art in software engineering and cybersecurity to benefit the public interest. Part of Carnegie Mellon University, the SEI is a national resource in pioneering emerging technologies, cybersecurity, software acquisition, and software lifecycle assurance.
Copyright 2019 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.
External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
* These restrictions do not apply to U.S. government entities.
Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM19-0676