With its acronym-rich vernacular, inherited from the military tradition, and a host of commercial solutions inaccessible to broader teams, cyber threat intelligence (CTI) succeeded in establishing itself as a discipline, but has ended up isolated and siloed. CTI teams often struggle to demonstrate measurable impact, focusing on “bad actors” and tactical intelligence, rather than addressing the broader risks.
In this blog post, we will explore why CTI teams should go beyond the realm of “bad actors” and instead learn from organisational risks to deliver actionable insights, improve their effectiveness and contribute to overall risk reduction.
CTI as a tool for risk-reduction
One of the primary reasons why CTI teams struggle to show impact is due to an industry-wide misunderstanding of who the primary audience of threat intelligence is. Typically threat intelligence is considered too high-level, too strategic, or “non-actionable”. Down streaming some IOCs into a SIEM or sending some IOCs to a SOC in an email might feel as if it is something being actioned. The truth is it is not actionable at all unless you are certain that there is someone on the other end waiting for these IOCs like their lives depend on it. While IOCs are interesting, they are not the primary use case for CTI analysts.
Instead, the products of CTI teams should serve as a sense check for decision-makers, enabling them to evaluate current operations, potential business acquisitions, partners, or expansion plans, that is, to support risk reduction across the business. The specific contribution of CTI is whether it is safe to be in a particular engagement. This is a component of the larger question of whether it financially beneficial to be doing this. That larger question is for the executive risk owners to answer. But if the CTI product does not factor into that decision-making, then CTI is not being done right.
Understanding risk as a CTI analyst
To effectively contribute to risk reduction, CTI analysts must have a thorough understanding of risk. Risks are not synonymous with situations such as seeing a ransomware message on your screen or finding a bad guy discussing access to your systems on the dark web. Risks are pathways through which threats lead to negative impacts. Risks have effects on objectives. Being overbudget, delays, reputational damage, injuries – these are not risks, these are the impact classes on which risks are scored. If interruption to business continuity in is the undesired impact, loss of system access is one possible risk, and ransomware threats are one possible cause. By focusing on risks CTI analysts can identify the causes and take action to mitigate them, thereby reducing the overall impact.
Building threat intelligence into risk management
With risk-enabled analysts, CTI can revitalise the much slower risk management cycle. Guided by intelligence requirements set-up in coordination with relevant risk teams, CTI analysts are capable of independently navigating the quickly iterating intelligence cycle on a daily basis. They are able to effectively escalate the threats that pose the greatest risk to the organisation and match those risks to relevant stakeholders. This process will inevitably generate feedback from the analysts, while their deliverables will leave an impression on the risk-owners. The two cycles will meet at the planning & direction and monitor & review stages to make the adjustments to their respective governing requirements or controls. By incorporating this accumulated intelligence into risk management controls, analysts and stakeholders can discover deviations from what they already knew about their risks. This in turn demonstrates the impact CTI teams can have on risk reduction.
Asking risk-oriented questions
Knowing the bad actor is incredibly helpful. It contributes to understanding threat, which helps to address a specific risk, but only if the links between those elements are derived from reality. When asking risk-orientated questions, CTI teams need to expand their focus beyond bad actors and gather information about risks inherent to their business, industry and geography. Collaboration from other intelligence teams reporting on geopolitical influences, as well as office and travel security, can also provide a more holistic view of relevant threats and risks. Conversations with stakeholders will also set expectations for the scope of analyst research. Analysts may even be surprised to find that those expectations are much broader than initially expected, and may involve collaborating with more teams, or tackling questions of geopolitics for which they are unprepared.
Going beyond bad actors might therefore leave CTI teams scrambling for the necessary tools and capabilities to collect, process and analyse information related to attacker capabilities, vulnerabilities, digital risk, geopolitical factors, and reputational risks, as well as industry and 3rd party threat landscapes. That shouldn’t be seen as a drawback – it’s better to match the team’s capabilities to the risks they will be addressing, rather than trying to convince stakeholders of the value in new tools championed solely by analysts themselves.
From risks to Priority Intelligence Requirements (PIRs) to use-cases
Stakeholder engagement should be approached in a structured manner, based on practical questions around key areas of vulnerability.
These questions can then be turned into PIRs which serve as the foundation to help address the inherent risks relevant to your business, including risks around data and system confidentiality, integrity, and access. PIRs should encompass the risks identified by relevant stakeholders, thereby establishing a clear link between risk and intelligence. This link should be highlighted in CTI reporting, allowing stakeholders to see the value and impact of CTI efforts in mitigating risks.
In summary, by expanding their focus from “bad actors” to risks, CTI teams can provide actionable insights for enhanced decision-making. By embracing risk management practices, collaborating with other relevant intelligence teams, and aligning their efforts with the needs of business, CTI teams can solve complex problems and contribute to the overall risk reduction of the business.
To learn how you can apply this to your business, watch this webinar “Beyond Bad Actors: Building Risk-Orientated Workflows for Threat Intelligence Teams”.