How To Build a Cyber Threat Intelligence Program
Importance Of Measuring The Program’s Impact
Threat intelligence is a nascent industry, and enterprise adoption will continue, but for these programs to really pack a punch, a cyber intelligence team must know what the measurable goals and business outcomes should be.
Otherwise, “a threat intelligence team can dissolve into producing a daily report or a weekly report that doesn't necessarily have a significant impact on business decisions,’’ according to Levi Gundert vice president of intelligence and risk at Recorded Future, who was the guest on Monday’s night’s episode of Task Force 7, with host George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
There are some organizations that can't get buy-in from senior-level decision makers on what the business cares about. “And if you don't have that buy-in, then you're setting up the threat intelligence team for failure,’’ said Gundert, who previously worked in both the government and private sectors.
“Where a lot of organizations are having success is [in] applying threat intelligence across their existing security function and stack,’’ he said. “So they're using threat intelligence as a force multiplier … to turbocharge those functions.”
Threat intelligence is also valuable for small and medium sized businesses, Gundert added, because teams can measure how they're improving security controls.
“When you're able to measure it, then you're able to communicate it and that's a much more powerful value proposition for the business,’’ he said. “If you're going to build that threat intelligence team, you have to be invested at the top of the organization and really setting the intelligence requirements. And if you can do that, you can be successful.”
The program began with Rettas asking Gundert for his definition of threat intelligence, which Gundert said is the ability to understand, explore and increase awareness of the adversary space.
Rettas observed that threat intelligence teams must be familiar with an adversary's tactics, techniques and procedures (TTPs), but Gundert said often, senior executives “don't really care who is behind the attack, what we care about is identifying the security control gap and remediating [it].”
This is a short-sighted approach because attribution is important, he said. “Motivation informs methodology, and if you don't understand the motivation behind the attack, then it's going to be a lot more difficult, really, to address the security control gaps,’’ he said.
While you don't necessarily have to work on attribution down to an attacker’s name and address, Gundert said it's helpful to have a general idea of the adversary’s country, motivation and ideology. “That really does help you when you're looking at predicting future attacks and you're looking at your security controls through that lens.”
The Elements of a Cyber Threat Intelligence Program
Rettas asked Gundert if he thinks organizations are spending money in the wrong places when they invest in cyber threat intelligence (CTI) models. Gundert said that can be the case if they spend a lot of money to build a program and the only deliverable is reports. While that is a good thing, “there's nothing coming out of that.”
If there is nothing measurable being done to improve security, he added, “that's a very dangerous position to be in. I think there's some enterprises that have jumped head-long into threat intelligence and building out a team without … first really understanding what it is they want to achieve with that program.”
In response to a follow-up question from Rettas about the right way to approach to building intelligence-led processes and programs, Gundert said the first thing to do is make sure you have buy-in on the requirements.
Senior leadership has to be able to say, “These are the 10 intelligence requirements we have, and we expect that these will change with some frequency," whether quarterly, semi-annually or annually, he said.
The cyber threat intelligence team should also be measuring operational security improvement, he said, and thinking through the types of data, people and skills that will be needed.
There's a lot of different types of threat intelligence data, Gundert said, and teams need to determine what the goals are, what data will be used, and the tools and the people and the skills that the organization will need to achieve that.
The Language of Risk
The second segment began with a discussion of how a CISO should measure the efficacy of a CTI program. Gundert said there is no silver bullet answer yet and CISOs are “struggling with what the right metrics are” for their particular industry.
If the CTI team knows what the business’s intelligence requirements are, however, they will have a pretty good baseline to determine whether they are “hitting the bullseye,” he said.
Rettas asked why Gundert thinks cybersecurity teams have difficulty measuring risk from cyber threats?
“I think we tend to confuse the term threat and risk,’’ he replied. In a business context, there is “upside risk,” where a CTI team may miss an opportunity. “But in our world, we care about the downside risk,’’ Gundert said, which is about whether a business will lose money and if so, how much? “That's all the business cares about,” he noted.
At the board level, leaders may not speak the language of technology or security, he said, but they understand the language of risk. “I think we all, as an industry, have to get better at speaking the language of risk and being able to assess risk, because most of the threats that we see on a daily basis, they're not actually a risk to the business.”
Being able to measure and assess risk is important, because there is a tendency sometimes to be reactive, Gundert said. CTI teams must move from a threat reactive model to a risk-centered approach -- and that goes for the entire security program, he said.
“And compliance frameworks are great tools, but if that's the end goal of the program, you're in trouble, because there's gaps in the compliance frameworks; they don't update as quickly as they should to map to the threat landscape,’’ Gundert added.
It’s one thing to implement a firewall, but you may not configure it properly, he explained. You may have been able to check the box that says you have firewalls, but that is not fulfilling the spirit of the compliance requirement.
A lot of cyber risk programs tend monetize the risk, Retttas observed, and he asked Gundert about the efficacy of doing this.
Gundert said it’s a “very worthwhile goal,” but you have to make sure not to “put garbage in,” or you will “get garbage out.” Otherwise, the people making management decisions are making bad decisions because of bad risk analysis data.
He mentioned a book he read by Douglas Hubbard a couple years ago called “How to Measure Anything in Cybersecurity Risk.” Gundert called the book “a game changer” and “a seminal read for everyone in our industry.” Hubbard lays out a threat category risk framework or TCR and makes the case that people are “really bad at estimating things.’’ He said the tendency is to go directly to a value, like 30%, for likelihood of occurrence, when in fact, it's better to start with a range.
Even if the cybersecurity group doesn't want to take the results of the model to the rest of the organization, they need to have a conversation about whether their existing approach still makes sense. “Just because you've been doing something a certain way for a long period of time doesn't mean it's the right way to do it’’ still, he explained.
If the business is not going to lose money from a threat or threat category, then a CTI team shouldn't be investing their time and resources on those problems. “You really should be focusing on areas where you're going to lose money.”
That, he said, is “a radical paradigm shift in the minds of a lot of security professionals,” but they should at least to try it out and say, ‘Let's try to quantify risk. Let's talk about the model, let's talk about the variables, let's talk about the assumptions and make everything transparent internally and let's just have conversations about it.’ And that's just a place to start.”
The conversation then shifted to where Recorded Future is focusing its efforts and resources in 2019. Gundert said they will remain focused on “the big four,” meaning China, North Korea, Russia and Iran, as well as Eastern Europe and China, and plans on moving into South America next year as well, he said.
As he asks most of his guests, Rettas asked Gundert to address the security skills shortage and what kind of skills the company is looking for.
Gundert said he looks for people with what he called “the three Cs:” curious, creative and communicative. If a person has those skills, the rest can be developed, he said.
He also looks to build a team and culture of respect. “Sometimes it's easy in the security industry to develop an ego, especially when you're a researcher, you're publishing things, and I think one of the things that we're really careful about is making sure that egos are always in check.” He said he subscribes to the philosophy of Timothy Geithner, the former treasury secretary under President Barak Obama, which is “no jerks, no whiners, no peacocks.”
Where A CTI Team Should Fit, Organizationally
In the show’s third segment, the two discussed the organizational construct of a threat intelligence team. Gundert said that while there are a lot of ways to build a threat intelligence team, he finds they work well when they're embedded into the incident response team because it is an existing function. That should create less friction, he said.
But sometimes, problems arise because “people feel threatened about their job and their function and their role within the security group and they don't want to play well with the new kid on the block,’’ he added. When that happens, the CTI team gets “sidled off” because even though their mandate is to “supercharge all these other functions, nobody wants to work with them.”
For people interested in the cybersecurity field, Gundert recommended attending meetings like of organizations like OWASP, where you can meet people in your area in the field.
“Anything that you can do online to just show your interest and some of the things that you learned, whether that's starting a blog or just putting things out on your social media, that helps to demonstrate your desire, your interest and passion in this field,’’ Gundert said. “There's a lot of good certifications and security courses out there, but just networking … is one of the best things you can do.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.