The Need for Cyber Threat Intelligence: What Are we Concerned About?

This is one of a series of posts addressing key threats to the retail sector in an attempt to identify which information assets and systems must be protected, and to examine the value of identifying adversaries and intelligence consumers.

Today, the most serious data breaches and disruptions result from well-planned, complex attacks that target specific companies or industries. Sophisticated, well-funded attackers make detection difficult by:

  • Utilizing social engineering techniques and multiphase campaigns that cannot be identified by simple threat indicators or blocked by frontline defenses.
  • Constantly adapting their tools, tactics and procedures to evade even advanced cybersecurity measures.

They have also raised the stakes by systematically targeting their victims’ most valuable information assets and business systems.

While most cyber threat intelligence (CTI) may focus upon knowledge about adversaries—and their motivations, intentions and methods, that knowledge becomes “intelligent” when aligned to key business risks, with key threats and threat vectors that target those business risks. Once those threats are known, we can begin strategically applying countermeasures to reduce that risk and help drive cyber security investment strategies accordingly.

By identifying top threat concerns and threat vectors, we can then guide not only what intelligence is best collected, but also how it is analyzed and used. What intel should be collected is often captured as “intel requirements.” How it is analyzed and used informs the content and structure of CTI teams and technologies—and how that intelligence is communicated to the right people, at the right frequency and in the right format.

RH-ISAC Survey Research

Early this year, we conducted a sample survey to identify what our members consider to be the top threats they are facing. While we had good information regarding the type of intel posted and shared among our members, we wanted to see if the intel posted aligned to perceived key threats. Additionally, we wanted to look for threat vectors where multiple threats could be addressed, and whether strategic countermeasures and security controls could be applied.  And, not surprisingly, this is what we discovered: the top threat concerns are phishing, credential takeover and advanced persistent threat (APT). The top threat vector is email, as is evident in the intel that our members share.

So, what does this mean for CISOs and their teams?

From an intelligence perspective, this data helps member organizations collect the most useful intel, monitor the right threat actors, prepare intelligence in the right format and level of detail for each intelligence consumer, and avoid wasting time and money collecting and disseminating trivial data.

From a security perspective, it helps member organizations align detection and protection systems, security controls and investment strategies for those risks that matter most to each organization.

With the top threat concerns identified, organizations can further define their collection efforts by defining key requirements for that intel, including the key individuals who may benefit from the consumption of that intel. Our next post will address intel requirements and why it’s important to start any intel program by first identifying them.

More Recent Blog Posts