September 2, 2020 • The Recorded Future Team
Editor’s Note: Over the past several weeks, we’ve shared excerpts from the second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at the final chapter 13, “Your Threat Intelligence Journey.” To read the entire chapter, download your free copy of the handbook.
Throughout our blog series on “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program,” we’ve explored how security intelligence empowers every team across a security organization to make better, faster decisions and amplify their impact. As our series comes to a close, there’s one final, yet critical, topic to examine: How to organize your core security intelligence team itself.
Michael Jordan once said, “Talent wins games, but teamwork and intelligence win championships.” And he’s absolutely right.
There’s no debate that machines process and categorize raw data exponentially faster than humans. On the flip side, humans are uniquely able to perform intuitive, big picture analysis that machines will never be able to achieve. That’s why the most effective security intelligence programs combine the best of both worlds: a team of talented individuals with extensive experience and technical knowledge, bolstered by automated processes that eliminate manual, time-consuming tasks and empower people to focus on rewarding, high-impact work. When people and machines are paired, each works smarter — saving time and money, reducing human burnout, and improving security overall.
So, how do you go about drafting your dream team of human security intelligence champions? Consider the upcoming Olympic Games as a model. Every country sends an elite team of athletes to compete in events. These teams of Olympians comprise a broader unit that represents their people and their country as one. This is the same way you should view your ultimate security intelligence program. It’s not enough to just pick individuals for your all-star lineup. You have to consider how each individual will work together, play on each other’s strengths, and contribute to the collective outcome.
As more and more organizations embrace intelligence as a critical security function, many are choosing to place a dedicated security intelligence team within the larger organizational structure of their security team. However, these specialized groups remain part of a larger coalition focused on a common goal: reducing risk and protecting the organization from emerging attacks.
In this final chapter, which has been edited and condensed for clarity, we outline the processes, people, and technology that make up a dedicated security intelligence capability. We also explore how these teams use intelligence not just to judge risk, but also to drive business decisions. Finally, we review ways to engage with intelligence communities for maximum impact.
In previous chapters of “The Threat Intelligence Handbook,” we’ve looked at how to integrate threat intelligence capabilities within your already existing security processes. Having reached the final chapter, we now make a few suggestions about how to organize your core threat intelligence team itself.
Now that we’re exploring how to create a team specifically committed to threat intelligence, it’s helpful to outline their differentiated responsibilities. Threat intelligence analysts will generally take on the following tasks:
- Identify current and future information security threats to the business’s strategic assets
- Answer the “who, how, and why” for any given attack
- Dissect attack tactics, techniques, and procedures (TTPs)
- Evaluate attacker TTP relevance and impact in the business context
- Identify opportunities to make high-level security architecture changes that will hinder an adversary’s specific TTPs
The best threat intelligence programs involve strategic analysis centered around talented human resources who are supported by automated processes that take care of tedious tasks like processing data. This human-machine pairing is called the centaur model, which was originally theorized by chess legend Garry Kasparov. He made this argument a few years ago: “Weak human plus machine plus better process was superior to a strong computer alone and, more remarkable, superior to a strong human plus machine plus inferior process.”
One thing the centaur model highlights is how different groups working together and playing to their strengths will often succeed over individual groups that may be stronger pound for pound but can’t make a unified effort. This same lesson also extends to the question of where to place a threat intelligence team within the larger organizational structure of a security team — the right answer is often to be a specialized group, but one that remains part of a larger coalition.
In this chapter from our new book, “The Threat Intelligence Handbook,” which has been edited and condensed for clarity, we’ll explore in greater depth what that group should look like.
Dedicated, but Not Necessarily Separate
You can start your threat intelligence journey with people who continue to play other roles on different teams in the organization. At this point, two questions will arise:
- Should there be a dedicated threat intelligence team?
- Should it be independent, or can it live inside another cybersecurity group?
The answers are: yes, and it depends.
A Dedicated Team Is Best
As you develop a comprehensive threat intelligence program, you should build a team dedicated to collecting and analyzing threat data and turning it into intelligence. The sole focus of this team should be to provide relevant and actionable intelligence to key stakeholders, including senior executives and members of the board.
Dedication and a broad perspective are needed to ensure team members dedicate enough time to collecting, processing, analyzing, and disseminating intelligence that provides the greatest value to the enterprise as a whole, rather than yielding to the temptation to focus on the intelligence needs of one group or another.
Its Location Depends on Your Organization
Organizational independence, as shown in the image below, has its advantages, such as greater autonomy and prestige.
However, these advantages can be completely offset by the jealousies and political issues caused by creating a team with a new high-level manager and its own budget that pulls budding threat intelligence analysts out of their existing groups.
A dedicated threat intelligence team does not necessarily need to be a separate function reporting directly to a VP or the CISO. It can belong to a group that already works with threat intelligence. In many cases, this will be the incident response group. This savvy approach can avoid conflict with entrenched security teams.
Picking the People
If you take a gradual approach to building your core threat intelligence team, start with individuals who are already in the cybersecurity organization and are applying threat intelligence to their particular areas of security. They may not have the title “threat intelligence analyst” or see themselves that way at first, but they can form the backbone of your emerging threat intelligence capability.
We have emphasized that the threat intelligence function exists to strengthen other teams in the cybersecurity organization so they can better protect a specific enterprise. It is therefore critical that the threat intelligence team include people who understand the core business, operational workflows, network infrastructure, risk profiles, and supply chain, as well as the technical infrastructure and software applications of the entire enterprise.
As the threat intelligence team matures, you’ll want to add members with the following skills:
- Correlating external data with internal telemetry
- Providing threat situational awareness and recommendations for security controls
- Proactively hunting internal threats, including insider threats
- Educating employees and customers on cyber threats
- Engaging with the wider threat intelligence community
- Identifying and managing information sources
Collecting and Enriching Threat Data
We talked a little about sources of threat data in Chapter 1. Here, we explore how a threat intelligence team can work with a range of sources to ensure accuracy and relevance.
The Human Edge
Threat intelligence vendors can provide some types of strategic intelligence, but you can also develop in-house capabilities to gather information about the topics and events most relevant to your enterprise.
For example, you could develop an internal web crawler that analyzes the web page code of the top 5,000 web destinations visited by your employees. This analysis might provide insights into the potential for drive-by download attacks. You could share the insights with the security architecture team to help them propose controls that defend against those attacks. This kind of threat intelligence generates concrete data, which is much more useful than anecdotes, conjecture, and generic statistics about attacks.
Proprietary sources that can strengthen your threat intelligence resources include:
An automated threat intelligence solution enables the threat intelligence team to centralize, combine, and enrich data from multiple sources before the data is ingested by other security systems or viewed by human analysts on security operations teams.
The image below shows the elements of an automated threat solution. In this process, information from a threat intelligence vendor is filtered to find data that is important to the enterprise and specific cybersecurity teams. Then, it is enriched by data from internal threat intelligence sources and output in formats appropriate for targets such as SIEMs and incident response systems. This automated translation of data into relevant insights is the very essence of threat intelligence.
The Role of Intelligent Machines
Advances in machine learning and natural language processing (NLP) can bring additional advantages to the threat intelligence team. With the right technology, references to threats from all sources can be rendered language-neutral, so it can be analyzed by humans and machines regardless of the original language used. We’ve reached the point where artificial intelligence (AI) components have successfully learned the language of threats and can accurately identify “malicious” terms.
The combination of machine learning, NLP, and AI offers huge opportunities for organizations to leverage threat intelligence. Not only can these technologies remove language barriers, but they also can reduce analyst workloads by taking on many tasks related to data collection and correlation. When combined with the power to consider multiple data and information sources concurrently to produce genuine threat intelligence, these capabilities make it far easier to build a comprehensible map of the threat landscape.
Engaging With Threat Intelligence Communities
Threat intelligence cannot flourish in a vacuum. External relationships are the lifeblood of successful threat intelligence teams. No matter how advanced your team might be, no single group can be as smart individually as the threat intelligence world as a whole.
Many threat intelligence communities allow individual enterprises to share relevant and timely attack data so they can protect themselves before they are victimized. Engaging with trusted communities such as ISACs is crucial for decreasing risk, not just for your individual enterprises, but also for the entire industry and the cybersecurity world at large. Participation requires time and resources — for example, to communicate with peers via email and to attend security conferences — but relationship building must be a priority in order for threat intelligence to be successful.
Get ‘The Threat Intelligence Handbook’
The full chapter of the book also details the four different types of threat intelligence — strategic, tactical, operational, and technical — and provides scenarios for how you would use them. In addition, the rest of the book includes chapters on the many different use cases for threat intelligence, including incident response, vulnerability management, digital fraud protection, and more. It’s an essential guide to all things threat intelligence, so download your free copy of “The Threat Intelligence Handbook” today.