Intelligence activities for defensive purposes have a long standing history in the military and geopolitical context. With time, the ways and means of collection, transmission, and analysis of information to gain intelligence have changed drastically yet its importance has not waned. When it comes to cyberspace, the practice of cyber intelligence, more commonly referred to as cyber threat intelligence in the context of organizational cyber security, has become an integral part of many security teams. It helps shine a light on both the weaknesses of the organization and the threats posed by adversaries.
In order for organizations to gain the maximum benefits from cyber intelligence for their security, it is crucial to understand the challenges in the way and adopt the best practices to tackle them. The Software Engineering Institute (SEI) at Carnegie Mellon University (CMU) conducted a study commissioned by the US Office of the Director of National Intelligence (ODNI) to analyze the state of cyber intelligence practices at various American organizations. The study also provides a comprehensive Cyber Intelligence Framework that covers the various aspects of the intelligence cycle including Environmental Context, Data Gathering, Threat Analysis, Strategic Analysis, and Reporting and Feedback.
The report, titled “Cyber Intelligence Tradecraft Report
”, provides several meaningful insights for organizations looking to improve their security performance. The study involved 32 organizations from a variety of sectors which were interviewed to gather the insights. In this blog, we will look at the key findings from this study and how organizations can take advantage of it to improve their security posture.
The primary findings from the report includes:
- There is a lack of a clear understanding of cyber intelligence and its role in organizational security. This leads to misplaced efforts and increased organizational vulnerability in the face of advanced threats.
- Organizations face difficulty in collating and analyzing the relevant data due to formation of information silos and lack of collaboration within the organization.
- There is a need for combining human intellect and machine capabilities to manage the vast amounts of data generated from various internal and external sources.
- To make the most out of Threat Intel, to detect advanced threat actors, and provide an effective threat response, it is necessary for organizations to adopt security orchestration and automated response (SOAR) technologies. This also helps organizations save time and resources wasted on manual tasks.
- Let us take a look at how Cyware’s next-gen security solutions help organizations tackle the challenges pointed out in the report and adopt the best practices recommended by the researchers.
Acing Threat Intelligence with CTIX
- Difficulty accessing data - A major challenge for many small and big organizations is access to the relevant information based on their organization, industry sector, location, assets, or other parameters. Without access to quality threat information, it is difficult for security analysts to pinpoint the most relevant threats for blocking them or providing remediation measures. Cyware Threat Intelligence eXchange (CTIX) is a unique bi-directional threat intelligence platform (TIP) that enables analysts to setup automated Intel collection from multiple internal and external sources, and filter, enrich, and share the most relevant Threat Intel within their own trusted information sharing network using its advanced Rule Engine. Moreover, with CTIX’s Hub and Spoke model, organizations can leverage the relevant and actionable intelligence gained from various members in its information sharing network.
- Lack of resources - In many cases, organizations lack people with the right skills or face a shortage of qualified people for various cyber intelligence roles. Moreover, a dependence on manual processes or outdated technologies for Intel collection, enrichment, processing or analysis tends to eat up the valuable time of the limited workforce available to the organization. Due to the automated Intel ingestion, enrichment, processing, and analysis features in CTIX, analysts can save a lot of time and focus on investigating only the most relevant threats.
- Lack of leadership buy-in - A disconnect between cyber intelligence teams and the organization’s leadership can result in wastage of resources or sub-par performance for the organization. Such a disconnect often arises due to the limited visibility that the decision makers have into the cyber intelligence operations and lack of avenues for giving their inputs in it. CTIX addresses this by providing a Multi-level Intel View for employees in various roles to give them visibility into Intel operations and help improve coordination between the senior management and security teams for delivering an effective threat response. Moreover, it also provides a Centralized Threat Dashboard for viewing customized confidence scores, factor-based prioritization of cyber threats, and detailed statistical metrics. With such features, CTIX ensures the inclusion of cyber intelligence in strategic and tactical decision making for the organizations.
Cyber Fusion Center with CFTR
Besides the lack of capabilities in conducting cyber intelligence, many organizations also lack a comprehensive view of their entire threat environment, which leads to ineffective threat detection and threat response. Moreover, security teams lose valuable time and resources on manual incident response processes, thereby increasing the chances of damage to the organization. Due to such reasons, researchers recommend setting up a fusion center for combining various security functions, enhancing collaboration, and saving resources.
- Know your critical assets - CFTR provides security teams with a bird’s eye view of the complete threat environment facing the organization. This includes all the assets owned and operated by the organization, the vulnerabilities and threats affecting them, and intelligence gained from internal and external sources on the threats.
- Get rid of Data silos - Due to the compartmentalization of various teams in an organization, a lot of valuable and relevant data within these teams remains unused. This results in extra efforts to collect the necessary information and lack of a comprehensive view of all the information available to the organization.
- Prioritize threats - Without a complete picture of the threat environment, most organizations operate in a reactionary way when it comes to cybersecurity. However, with CFTR, organizations can prioritize threats based on threat actor potential, target exposure, and organizational impact, thereby moving towards a proactive approach to security.
- Create Threat Analysis & Response playbook - Using the security orchestration and automated response (SOAR) technologies, CFTR allows security teams to create playbooks to automate manual processes as well as automating threat response based on alerts received from other existing security solutions. This allows for a swift and effective threat response against advanced threats.
- Foster cross-functional collaboration - With the combination of various security functions in the cyber fusion center, CFTR boosts the collaboration across various teams and allows organizations to exploit the operational synergies across their workforce.
The Final Word
With the increasing prevalence and impact of cyber threats, more and more organizations realize the need for a proactive approach to cybersecurity by adopting next-gen technologies and solutions. The researchers echo the sentiment with Jared Ettinger, the lead author for the study, saying, “By understanding what’s working and what’s not working and looking at how to implement emerging technologies, we can help strengthen the practice of cyber intelligence across the country.”
Despite an improvement in adoption of emerging technologies for organizational security, there is a long way to go. However, the disruption in cyber intelligence, cyber fusion, and threat response will help organizations conquer the rising tide of cyber threats.