Cyber Threat Intelligence (CTI) Management: Now More Than Ever

I heard some alarming new statistics from IBM security this week. With COVID-19 as a backdrop, cyber-attacks are up 14,000% led by a spike in ransomware. IBM also revealed a 6000% increase in spam, as hackers social-engineer nervous users with fictitious coronavirus news and miracle cures. Other firms like DomainTools, FireEye, and Palo Alto Networks have reported similar data. Yikes!

Of course, an explosion of cyber-attacks around COVID-19 comes as no surprise to cybersecurity professionals. Whether it’s flooding in Houston, fires in California, or earthquakes in South America, cybercriminals have perfected their ability to make an illegal buck on human misery. Global pandemic? Great news for online bad guys – the world population is a potential target.

Fortunately, cyber-defenders have a way to fight back. How? As Sun Tzu said, “if you know your enemy and know yourself, you need not fear the results of a hundred battles.” From a simple cybersecurity perspective, this means comparing the latest and greatest CTI with what’s happening on your organization’s network looking for malicious files, behaviors, and network traffic.

Yeah, I know, this is an obvious conclusion, but many organizations continue to do so at a very basic level like:

1. Leaning on security technology vendors. Part of being an endpoint or network security vendor is keeping up with attack patterns, developing countermeasures, and sharing them with customers. Okay, but this is a first line of defense and nothing more.
2. Equating threat intelligence with indicators of compromise (IoCs). Cyber-adversaries use websites, IP addresses, and files within their attacks. Threat intelligence researchers watch for this activity and report the malicious things they find as IoCs. Blocking malicious IoCs is useful, but it’s a baby step.
3. Paying for, but hardly using threat intelligence feeds. I’m always surprised that sophisticated organizations spend hundreds of thousands of dollars for commercial threat feeds with the attitude that when it comes to CTI, more is always better. They then use homegrown tools for CTI management or feed IoCs into their SIEM but perform little further analysis. How is this strategy worthwhile?

How should security professionals manage CTI? Based on my experience, leading organizations:

• Operationalize CTI programmatically. There are really two things you do with CTI: Operationalize and analyze it. Operationalization is the process of using threat intelligence information to fine-tune security controls in real time. Yes, security technology vendors can help here but leading organizations centralize all cyber threat intelligence, compare different feeds, and then create runbooks to turn malicious IoCs into blocking rules on firewalls, web gateways, endpoints, email security filters, etc. Many organizations use SOAR tools (i.e., Fortinet CyberSponse, IBM Resilient, PAN XSOAR, Splunk Phantom, etc.) to help automate this process. 
• Analyze, analyze, analyze. Leading organizations analyze everything – open source threat feeds, commercial threat feeds, blogs, social media posts, dark web chatter, etc. Beyond IoCs, these organizations want to understand who is attacking them and the tactics, techniques, and procedures (TTPs) they are using. This intelligence is collected, processed, analyzed for real-time threats. and then stored for future use. Analysis tends to be very focused on adversaries and campaigns that pose a direct risk to the organization. Strong CTI programs are formalized, documented, and process-driven, requiring purpose-built threat intelligence platforms from vendors like Anomali, RecordedFuture, ThreatConnect, and ThreatQuotient. These systems are extremely useful for managing massive CTI volumes, CTI analysis, comparing threat intelligence to internal behavior, hunting, and even have SOAR-like capabilities for threat remediation.
• When it comes to threat intelligence, sharing is caring. Leading organizations participate in industry ISACs and local communities as CTI providers and consumers. Additionally, I’ve never met a threat analyst who doesn’t have a strong personal network they regularly communicate with on an informal basis. Oh, and part of collaboration is knowing when you need help. This may involve a call to an ex-NSA buddy, a birds-of-a-feather session at Defcon, a University event, or a services engagement with a leading CTI service provider. 
• Something that seemed totally benign 6 months ago may be a needle in the proverbial haystack today. When new malicious campaigns arise, threat analysts poke around security telemetry to see if they missed something. Threat hunting can require maintaining historical security data records – one reason why we are seeing proliferation of security data lakes built on the ELK stack or commercial offerings like Google Chronicle. 

A solid threat intelligence program isn’t easy and it’s incredibly hard to find good talent. Maybe so, but I can’t overstate its important. As Sun Tzu might say, if you focus on internal security data and minimize threat intelligence analysis, you only see half the battlefield. CISOs should take an honest look at their capabilities and outsource CTI analysis and threat hunting if they don’t have the chops themselves.

A few final thoughts:

1. CTI programs should include diligent use of the MITRE ATT&CK framework.
2. Threat intelligence programs should also cover things like reputational risk, typosquatting, dark web chatter, etc. Service providers like Digital Shadows, Flashpoint, and GroupSense can help.
3. Organizations with a small number of full- or part-time security professionals may want to explore whether a threat intelligence gateway (TIG) can help bridge their skills gap. Some TIG vendors are really white glove CTI analysis services. TIG vendors include Bandura Networks and Centripetal Networks. 
4. Threat intelligence analysis should always be tightly coupled with risk assessment, asking the question: “Are we vulnerable to this type of attack?” This is where continuous automated penetration and attack testing (CAPAT) can help from vendors like AttackIQ, CyCognito, Pcysys, and Randori.
5. Deception technology is also applicable here and plays a duel role of threat intelligence sensor and attack decoy. Vendors here include Attivo, Illusive Networks, GuardiCore, Smokescreen, and TopSpin. 

There is little we can do medically about COVID-19 today, but we certainly can better defend our digital assets. To do so, we better get to know the enemy at a much more intimate level.