Intelligence isn’t just for spies and soldiers – participants in the global cyber war are increasingly targeting private enterprises as well as government agencies. That means you’re on the front line!
If your business can improve its ability to generate, use and learn from real cyber threat intelligence, it can seriously supercharge its ability to defend against acts of cyber terror. So, in this article, we’re going to introduce you to what’s called the cyber threat intelligence lifecycle. This process-flow charts each step the world’s intelligence experts go through to gain their information, and then what they do with that information
As you read, ask yourself: “Are we doing these steps? Are we taking these precautions? Are we learning what we need to learn?” Gaps in this process could be gaps in your defense.
Activities of the threat intelligence team:
Step 1: Strategy & Direction
The goal: To put in place a realistic plan of action and set appropriate expectations for what is to follow.
Setting appropriate goals and establishing clear direction can help your people understand what is required of them during the intelligence lifecycle, and it also lets you show higher-level leaders (i.e. the board) what you intend to do, how much it will cost and why it’s necessary. Additionally, some of the steps in this stage will be vital foundational work that we’ll use later on in the process to prioritize action items.
Key strategic activities
- Set goals: Identify what you intend to achieve by the end of this process. What does the ‘result’ look like?
- Connect threat intelligence actions to business objectives: Ensure all goals and action steps will help the organization’s higher-level strategic goals.
- Prioritize the requirements and desired outcome: if there are multiple requirements or desired outcomes, which must be done first?
- Agree on methodology: What tools will the team use, how will they operate, what process will everyone follow?
- Create an asset register: This is a list of all the physical, digital and informational assets owned by your company, plus who’s in charge of each one.
- Identify risk level of each asset: Determine the criticality of each asset to the business, and therefore the risk to the business should that asset fail or suffer a compromise.
Quick tip for strategy & direction
Don’t do this all on your own.
Working in your own little bubble may mean you miss out on key information that only someone who handles a particular asset, or does a particular job, could possibly know. Involve stakeholders from across business units, from leadership down to key staff. They will give you that on-the-ground knowledge – the unknown unknowns – that will prove vital later. Additionally, talk in plain language as much as possible, as you may be talking to a non-technical audience. Focus on business impacts and consequences using terms relevant to someone’s role.
Step 2: Collection
The goal: This is the reconnaissance phase. Data collection is all about finding out what data your threat intelligence team must collect to get its information, and then gathering that information to learn what threats might lurk on the horizon.
At this stage of the intelligence flow, you’ll keep your reconnaissance quite high level. It’s not about investigating the nitty-gritties of your system for vulnerabilities, but finding out what the common attack vectors are more broadly, which hacker groups are active right now, who’s being targeted, which software is being exploited, and then where your business may be vulnerable. Your people will also look at sources such as forums and social media to find out what’s being discussed and shared, in case it helps.
Key data collection activities
- Map out what data to collect: What data sources must your business be able to monitor in order to spot someone trying to breach the system?
- Gather information with intelligence tools: Using tools such as MITRE ATT&CK and OWASP Top Ten, discover the common attack vectors, attack groups, mitigations, and so forth.
- Collect evidence: Compile a dossier of the threats that most pertain to your business, and list out the different ways you are most likely to be attacked (and, explicitly, how that attack might take place).
Learn more: The world’s most common cyber attack vectors
Quick tip for data collecting
Embed the use of MITRE ATT&CK into your threat monitoring processes.
MITRE ATT&CK is a free-to-use taxonomy of common attack groups, attack vectors, data sources and mitigations. It also comes with a tool (MITRE ATT&CK Navigator) you can use to actually plot and annotate the threats which are most relevant to your business. Using this free tool, you will be able to clearly communicate the exact nature of a threat and respond with greater insight, using standardized language. Eventually, you’ll be able to use the same information to proactively defend your business.
Learn more: What is the purpose of MITRE ATT&CK?
Step 3: Processing
The goal: Take all of that raw data and make it usable.
As your team scours the web for information, they’ll be collecting a considerable amount of disparate data that is chaotic and difficult to analyze. There will be duplicate entries, encrypted data, messy data, data in the wrong language, unstructured data, and more. The next step is to process all of that information into organized, structured charts, spreadsheets, catalogs, dashboards … whatever it takes to be able to compare apples with apples. This is vital for Step 4 to be able to take place.
Key data processing activities
There are two methods typically used here:
The use of artificial intelligence (AI) or complex algorithms to autonomously classify pertinent data and create alerts to warn you if your company’s credentials are leaked. This will involve structuring, decrypting and translating data, then parsing it, reducing it, filtering, correlating and aggregating.
Manual analysis of the data by a group of security experts with appropriate understanding of the data collection plan, requirements of the business, analytical strategy, and the types of data being reviewed. This group’s goal is to determine what’s relevant to the organization.
Quick tip for data processing
How do you choose between an automated or manual analysis?
Realistically, it will be your security or data experts who make recommendations here based on your individual business needs (including time/urgency, budget, resources and risk). Manual analysis tends to be more flexible, but can be a lot slower than an automated analysis.
Step 4: Analysis
The goal: To filter through all of the processed data and compile it into usable reports.
But that’s not the end of the analysis phase. After sorting through the information and contextualizing it to your business, your threat intelligence team will then start to turn the data into action items – applying what they’ve learned to the needs of your business to figure out what problems will need to be tackled first, and how those problems should be tackled.
By the end of this phase, you should have a clear list of changes that need to take place in order to shore up the organization’s defenses. Some of these will be optimizations of existing security controls, some of them may require new investments.
Key data analysis activities
- Contextualize threats to your business: How do specific threats apply to your particular sector, or type of systems?
- Use qualitative and quantitative analysis to calculate impact and likelihood: Seek to understand the likelihood of a particular threat, and the impact it might have on the business.
- Prioritize cyber threats: Using likelihood and impact, group your threats by priority – those with the highest likelihood and biggest impact will naturally be the threats to tackle first.
- Identify existing data sources: Which data sources can your organization already monitor?
- Identify required new data sources: Which data sources will your organization need to add new tools or change processes to begin to monitor?
- Identify existing security controls/mitigations: What existing security controls are already sufficient, or just need to be optimized?
- Identify required new security controls/mitigations: What new investments must you make? Bearing in mind new tools may require new staff expertise, so you must factor hiring and/or training into the budget.
Quick tip for data analysis
Know your cyber risk appetite.
Your business’s risk appetite is the amount of risk it’s willing to take on as a part of day-to-day operations. In a world where budgets are limited and you just can’t deal with every little threat, a well thought out risk appetite helps you know what you can accept and what you can’t – another way to prioritize threats.
Learn more: How to define your cyber risk appetite
Step 5: Dissemination
The goal: At this stage, while your intelligence team has been gathering information collaboratively, its findings will have so far been produced in a bubble – no one else will have seen them yet. Now the team must leave their bubble to ensure all relevant parties get the action items and intelligence briefings they need.
Your team will need to present its findings and action items to the board, as well as any other relevant stakeholders. While it may not be able to present every finding (this could be quite overwhelming, and overly technical), it can prioritize items and focus on the big problems to ensure that top priorities are discussed first.
Key dissemination activities
- Communicate information to relevant stakeholders: Prepare briefing documents, presentations or workshops – whichever will work best for each team.
- Determine next steps: Work with key stakeholders to determine what should happen next – what are the available courses of action, where are the opportunities for improvement, what are your limitations?
Quick tip for disseminating information
As we mentioned in Step 1, talk as much as you can in plain language.
Remove technical jargon for any audience which won’t understand it. Translate your work. Your job here isn’t to look smart and qualified, but to ensure that the right people in the business fully understand the threats it faces, and their place in mitigating those threats. Ensure you understand each stakeholder’s role, and disseminate the specific information that will help them make better-informed decisions for that role.
Step 6: Feedback & Learnings
The goal: Learn from what has been achieved so far, so that it can be done more effectively next time.
This is like organizing a customer survey, but for internal stakeholders – who are, in essence, the customers of your threat intelligence team (in some circles they’re literally called ‘intelligence consumers’). You must evaluate your processes, tools used and strategies deployed, as well as the usefulness of your intelligence. Some of the feedback other stakeholders can provide includes:
- Whether their priorities have changed, and if you met those priorities.
- Whether the report was useful to them.
- Changes to the frequency with which they want to receive these reports.
It’s also recommended that your threat intel people self-evaluate, to determine what they found effective or ineffective with regards to their own internal processes. This phase of the threat intelligence lifecycle then feeds back into Step 1 and begins again, while action items are passed down to other teams to start their own tasks (see below).
Key feedback & learning activities
- Send out surveys: These can be a quick and engaging way to generate feedback on the usefulness of your intelligence.
- Determine learnings: What can you do better next time, how can you work more effectively as a team?
Quick tip for getting good feedback
You don’t have to wait until Step 6 to get useful feedback.
Consider sending out monthly or quarterly surveys to get continuous feedback, or hold regular meetings between threat intelligence leaders and the board. Both of these will help you generate feedback in a bit more real time, so you can deploy the learnings straight away and improve as you go.
Further activities for security, fraud or related teams:
Step 7: Action
The goal: Put into practice the action items delivered via the threat intelligence lifecycle.
The above-six steps will have generated a list of vulnerabilities that must be acted upon, and action items that will help improve those issues. Now the ‘stakeholders’ we mentioned before must start their part of the broader cyber security improvement process. This will involve mainly cyber security and anti-fraud personnel, but other departments may be required (cyber security is a whole-of-organization problem to solve).
Common action items
The specific steps of these action items will vary based on the required actions to be taken, and the team taking said actions. That said, if looked at broadly, they are quite self explanatory:
- Optimize existing processes
- Deploy new security controls and mitigations
- Updated security training for non-security staff
Quick tip for actioning threat intel recommendations
View this as a long-term process of continuous change, not a one-off project.
This is not a process with a definitive end point. While you will have defined earlier what a ‘result’ will look like, the reality is that by the time you get to this stage and evolve your business the technology landscape will have moved forwards a bit further, requiring you to evolve in kind and define a new ‘result’. It’s easier to view it as a process of agile, continuous change, so you get in the right mindset. That’s why this is a lifecycle, not just a flow chart; the final steps flow back into the first steps to ensure you keep moving with the times. Ultimately, the value of your threat intelligence program is to help senior leadership make better-informed decisions about security-related risks. As these risks always change, you are here to help everyone keep up.
Step 8: Feedback & Learnings
The goal: As above, but now for your intelligence consumers.
Your teams will learn more as they proceed through their list of action items. They might find certain processes don’t work very efficiently, they have the wrong tools, they lack certain skills, the reports they received didn’t include the information they ended up requiring … the list goes on. Stakeholder teams don’t need to wait for threat intelligence feedback surveys in order to provide learnings. If something has been learned, it should be written down and passed to the relevant people.
A key question to ask at this stage:
Did the extracted intelligence provided by the threat intelligence lifecycle meet the end requirements of the consumers?
And now it all starts again!
Need help? We can manage this process for you
At dig8ital, we’re experts in creating flexible cyber security programs at even very large or complex organizations. Our team can embed within your own to learn what makes your company tick, see how your people work, so that we can tailor a solution that is fit for your purposes.
Want to learn more? Contact us for a free maturity consultation and we’ll discuss what your organization needs.