This post is the third in the series, "The 12 Days of HaXmas."
“Get the biggest aluminum threat feed you can find, Charlie Brown, maybe painted pink.”
It has been a few years now since the term “cyber threat intelligence” entered mainstream, and since then it has exploded into a variety of products, all claiming to have the biggest, the best, the shiniest, most aluminum-est threat feed, report, or platform. Much of the advertising and media surrounding threat intelligence capitalizes on fear and uncertainty, “you must have threat intelligence or there is a 100% chance you will get hit by OMG-APT-Cyber-Poodle-Heartbleed.” It feeds off of executives' desires to avoid being the next story in the news about how a breach could have been prevented if only they had employed the latest threat intelligence from company XYZ.
Buy, buy, buy. More, more, more.
Good grief! It can really bring a poor threat analyst down during the holidays.
Amidst the commercialization and fear and the threat-intel-buying frenzy, it is easy to overlook the true meaning of threat intelligence.
Threat intelligence exists to help us make decisions about how to best protect assets with limited time, money, and personnel. Knowing what is likely to affect you - how, why, what to look for, and what you can do about it - and then taking actions to mitigate those threats is what threat intelligence is all about.
Threat intelligence doesn't have to be about buying something shiny and expensive. For those of you who haven't seen A Charlie Brown Christmas (and seriously, go watch it when you are done reading this) when the other kids saw Charlie Brown's Christmas Tree - small, made of actual wood, losing a few needles here and there, and definitely NOT painted pink - they laughed and questioned his ability to do anything right. But that tree turned out to be exactly what they needed to refocus their school play and their mindsets to what they were actually supposed to be celebrating.
Likewise, many organizations have more at their disposal than they know, but because it doesn't look like what marketing says threat intelligence should, it is often scoffed at and overlooked. Business priorities, asset management, log data, lessons learned from a partner's (or their own!) breaches or incidents, reports of phishing emails that come in from employees, open source news feeds, blogs, and non-commercial reports are all things that can be used as the foundation for a threat intelligence program.
Many companies are eager to purchase some variety of threat intelligence while overlooking the wealth of information they currently have at their disposal. That information is priceless, but like Charlie Brown's Christmas tree, it just needs a little love.
If Charlie Brown was in infosec he would understand that the true meaning of threat intelligence is to identify and respond to threats in order to change outcomes. Charlie Brown Threat Intelligence is about looking past the commercialization bombarding us and learning what we can do with what we have, because truly that is the very best place to start.
How to make the most of Charlie Brown Threat Intelligence:
Understand business priorities: It is impossible to protect your business or your information from threats if you don't actually know what you are protecting. What are the systems, assets, or information critical to meeting business objectives? Analyzing business priorities is something that all companies can do for themselves and it is the first step in utilizing threat intelligence.
Identify what you can change, and what you can't: Threat intelligence is about identifying threats in order to change outcomes- outcomes do not change themselves, this means that some sort of action is taken. Focusing time and effort on something that you can't change will waste time and resources. However, if you are unable to change something that you think is critical to the security of your organization you can use threat intelligence to build the business case for making the change while still making strides towards changing what you can now.
Keep an eye on the news: Maintaining an awareness of what is going on in the news can help you stay ahead of threats. Sure, if they are in the news they are not always the late-breaking, cutting-edge threats, but that doesn't mean they won't still hit you...or haven't already. Likewise, you are in the best position to know whether something in the news has the potential to affect your organization and how serious the impact would be. Use that knowledge to start planning how to detect and respond to that threat in your environment.
Training: I am a firm believer that trained personnel are critical to an organization's ability to protect itself. Your platform or your threat feed is useless without someone to implement it and interpret the results. It's not just threat analysts who are supporting threat intelligence: IT, SOC, IR, every employee who touches your network can learn how to identify and better respond to threats. We said that threat intelligence needs a little love, and these are the people who are going to be providing the care and feeding it needs to thrive. Invest in your people.
Identify your gaps and find something that meets your needs: There is definitely a place for threat intelligence services in the equation, but it comes after a good hard look at your objectives, what you have, what you still need, and what you can realistically implement and support.
You may not need the shiniest, most expensive threat intelligence product to make your program successful, in fact, most organizations don't. What they need to remember is the true meaning of threat intelligence, asses their own needs, capabilities, and priorities, and start taking steps to better understand and respond to the threats facing them.