Cyber threat intelligence (CTI) requirements guide not only what intel is collected, but also how it is analyzed and used for IR, the SOC analyst and the business, as well.
Developing a good set of requirements helps the organization:
- Monitor the right threat actors
- Collect the most useful intel
- Prepare intelligence in the right format and level of detail for the consumer
- Avoid wasting time and costs on collecting and disseminating trivial data
The organizational mission has always framed the scope of intel requirement determinations and the same is true for the business environment and related risks. We all know how risk tolerance varies within organizations, risk impact—measured in costs to operations and revenue, including the attack surface that provides access to those business functions—also fluctuate, sometimes with great disparity. This “variance” changes over time, depending upon many business factors, internal and external to the company. Accordingly, a cyber threat analyst must move beyond the traditional IR and SOC environment to also consider the collection of “essential elements” within the perspective of key business drivers and operations.
This broader view alters the workflow from one of identifying “threat concerns – collecting requirements” to one that also identifies business risks, the attack surface to key systems, the application of security controls and compliance frameworks, and the organization’s financial commitment to maintain an identified and measurable “security operating picture.” While many seasoned cyber threat analysts may already consider this type of approach within the context of determining “intel requirements,” I am adding emphasis here to ensure the discovery of any variable that may evolve the traditional intel collections framework to a broader and more holistic methodology. This expanded methodology is also the start of the integration of cyber threat intelligence with business intelligence. It allows for more strategic design and application of security investments as “counter measures” in an effort to “buy down” risk to the business. This approach also acknowledges that physical and cyber “attack vectors” continue to merge and can no longer be efficiently addressed from the separate company silos such as “cyber threat intelligence,” “risk assessment” and “business intelligence.”
So what does an intel collection process look like?
Intel 471 breaks the approach down to identifying “essential elements” and “intel consumers,” which is applicable for a business-oriented environment. Essential elements define the who what, when, where and how specific threat information is collected. Intel consumers are those who act on and make key business decisions based on those essential elements. A phased approach looks like this:
Step 1. Compile production requirements:
- Identify internal intel consumers
- Determine their key decision points and frequency (daily, weekly, monthly)
- Agree on production deliverables and expectations (scope, format, level of analysis)
Step 2. Compile intelligence requirements:
- Select and rank intel requirements that align with the production requirements identified in Step 1
Step 3. Create Intelligence Collection Plan:
- Prioritize collections based upon available resources, data sources and collection restraints
- Task CTI with specific areas of responsibility
- Revise Collection Plan regularly
Step 4: Produce intelligence:
- Leverage data sources to satisfy Collection Plan
- Answer each essential element for each threat
- Identify collection gaps when sources are not available
- Compile and disseminate to identified consumers
Step 5: Track progress and assess feedback.:
- Consider feedback part of the delivery process
- Consistently assess research gaps
- Revise production and communication requirements
The business itself is an essential part of the battlefield for the cyber threat analyst. It requires new skills for communication, the correlation of disparate data, and an awareness of business impact as a priority. It also represents a new, leadership-oriented, role for the threat analyst. Let’s not forget, the reason we collect intel is so that our organizations can make better business decisions. Defining intel collection requirements with the business in mind provides an additional context that guides the collection of key information not just for IR or SOC analysts, but also investment strategies for security, risk management and the business.