Académique Documents
Professionnel Documents
Culture Documents
Abstract ......................................................................................................................... 3
About EclecticIQ........................................................................................................18
2
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Abstract
This paper:
• Describes how a Cyber Threat Intelligence practice meets the need for stronger
intelligence capabilities to counter cyber threats
• Explores the problem of “too much information” stemming from diverse sources of
intelligence
3
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
The Emergence of CTI as a Practice
Leaders in Cyber Security are well aware of the need to bolster their defenses against
cyber threats. In a Forrester Research survey of decision-makers in technology
security for major organizations, 77 percent of respondents put a high or critical
priority on establishing/improving cyber threat intelligence (CTI) capabilities.1
Yet it’s not enough for technology leaders to handle cyber defenses on their own.
In the face of a new generation of virulent cyber threats, the old approach of
maintaining a “perimeter” defense is no longer viable.
Cyber defense has historically been considered a reactive business function, tasked
with responding to discrete indicators such as outdated software patches and
attempted intrusions. This approach is no longer sufficient. Emerging cyber threats
need to be handled with a cyber intelligence practice approach, rather than through
the security operations center (SOC) or incident response (IR) teams.
INCIDENT
RESPONSE
Mainstream since 2010+
Focus on incidents and
risk escalation
Contextual response
THREAT SECURITY
MANAGEMENT OPERATIONS
Early adoption
Mainstream since 2005+
Focus on external threats
Focus internal security
No best practices yet
Detection
No tools
False positives
Threat content acquisition
Prioritizing
Workflow enablement
1) Forrester Research, “The State of the Cyberthreat Intelligence Market,” by Rick Holland, June 23, 2015
4
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
In the new threat environment, cyber defense is no longer something that can be
delegated to the IT department. Instead, business leaders have to cultivate a greater
awareness of cyber threats that exist within their own organizations, while ensuring
that they have access to resources needed to manage rapidly changing threat
exposures.
The new approach to cyber defense relies upon CTI as a separate and consultative
practice, built with processes, people and technology dedicated to continuous
improvement of cyber security within an organization. The CTI practice delivers an
adaptive approach to intelligence that provides continuous monitoring of business
processes through extensive collaboration between CTI and business units. Threat
analysts from a CTI practice, empowered with the best available cyber threat
information, work in consultation with managers to improve the security posture of a
wide range of stakeholders.
Incident
Operations
LE
Relations
Legal
escalates to
Defeat (tactical)
tactical
intelligence Incident
Response
Security
Operations
Deter (operational)
THREAT operational intelligence
MANAGEMENT Fraud
Vulnerability Operations
Management
strategic
intelligence
Executive
Policy Protection
Management
Prevent (strategic)
guides guides
Risk
Management Strategic
Planning
Business
Stakeholders
Compliancy
5
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
An intelligence practice:
CTI goes beyond the usual challenges faced by an intelligence practice due to several
unique and unprecedented aspects associated with cyber threats:
Cyber threats are highly virulent. A cyber attack has the ability to spread across
global networks at the speed of fiber-optic Internet traffic. Moreover, given the
extent to which critical systems have been placed under digital control, the potential
exposures to cyber threats are immense and increasing by the day. This is especially
pertinent to large and complex organizations, which tend to have more points of
interaction via electronic channels and more attractive targets than smaller and
simpler organizations.
Cyber threats are constantly evolving. Attackers may have financial incentives to
steal customer data or funds; political incentives to induce changes in policy or
practice; commercial incentives to steal company information as a form of espionage;
or military incentives to cause damage to an opponent. All these threats have existed
in the past, but today cyber threats are global, simultaneous and immediate.
New actors have instant credibility as attackers. Due to the widespread proliferation
of knowledge about tools developed, campaigns initiated and attacks performed,
new attackers with new motives can attack new targets without necessarily having
sophisticated computer skills.
6
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
A CTI practice expands the functionality of a traditional intelligence practice to
encompass the unique challenges posed by the cyber threat.
7
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
The “Too Much Information” Problem
One of the main challenges threat analysts face is the overwhelming flood of
information about potential or present attacks. Due to the need to incorporate a
diverse set of repetitive data feeds, CTI analysts have to sift through data pools with
a low “signal-to-noise” ratio; that is, there’s way too much noise.
WLAN
Government GW
(DS/CERT) SIM
IPS
OSINT FW
WAF
ISACs
THREAT Email
ANALYST GW
Commercial
sources DAM
NAV
Internally Endpoint
Private B2B derived Web
Sharing GW
DLP
Commercial CTI feeds represent a major source of information, but it is often difficult
to fully assess their net intelligence value. Analysts have to assess the extent to
which each provider offers unique capabilities or access to information, and then
decide whether they have a role in consistently meeting the information needs of
stakeholders.
8
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Internal processes, people and systems also yield a vast trove of potential
intelligence data. Server, connection and access logs are rich sources of data, and a
wide range of analytic techniques exist to detect and escalate warnings related to
unusual behavior. Depending on the industry, people and processes can also provide
actionable data for a CTI analyst.
• Security Operations Centers (SOCs) receive too many warning signals associated
with threats, and are therefore unable to discern or respond to the most important
threats.
• Business stakeholders remain largely unaware of the threat level before something
happens, or they have only a vague sense of what happened.
• IT Architects make decisions about IT infrastructure that may be costly to retrofit
with better security, relative to incorporating best practices from the start.
9
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
The High Cost of Manual Processes in Intelligence
CTI analysts have a difficult and demanding job. Among other things, they have to
determine the relevancy of incoming intelligence, discover new threats, and make
associations between known threats and new threats. All of these tasks are made
worse when burdened by painstakingly slow and inefficient manual processes.
Unlike other common labor-intensive tasks, it’s usually impractical to throw more
manpower at an intelligence problem. Analysts are a scarce resource, as it’s hard to
find, evaluate and train new personnel to perform tasks associated with cyber threat
intelligence. Accordingly, CTI practices are constrained by a limited talent pool with
limited capacity and throughput.
Analysts ultimately are responsible for meeting the needs of stakeholders by fully
exploiting the value of intelligence available to the organization. Repetitive manual
work wastes time that would be better spent ensuring that the right information gets
to the right people, in the right place and at the right time.
Also, given the potential for expanding the role of analysts within a consultative
CTI practice, an overreliance of manual processes also has costs in terms of missed
opportunities for integration between intelligence and business functions.
Analysts need to keep up with best practices in the emerging field of CTI, and then
apply that learning to situations within the organization. They need to distribute
evaluations of threat data to concerned stakeholders through secure repositories,
and ensure that organizational processes are sufficiently protected given the threat
environment.
With these possibilities at hand, the cost of manual processes in intelligence goes
far beyond the direct cost of paying for the labor. A true accounting of the costs
has to take into account the opportunity costs associated with not having a CTI
practice, and not giving analysts the best chance to support the stakeholders of an
organization.
10
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
How to Establish a CTI Practice
Make room on the org chart. Although CTI is adjacent to and related to IT Security,
it should be considered as a distinct competency. As such, a CTI practice should
be given responsibility over its own clearly-defined processes, with appropriate
support in terms of staffing and technology. Also, CTI practices have to work with
several other existing organizational functions, including security operations, incident
operations, incident response, fraud operations and risk management. The lines of
reporting, communication and responsibility should be established well in advance.
Lock down IT capacity. While the CTI practice may not need to maintain its own IT
development team, it nevertheless needs to ensure the availability of IT resources
capable of architecting, planning and implementing standard CTI processes and
procedures, such as the acquisition of CTI feeds. Additionally, a CTI practice needs to
have ready access to a balanced, cross-functional team responsible for the roll-out of
any changes or security improvements to line-of-business systems.
Build a well-balanced core team. A CTI practice will include resources that cover the
following complementary skill sets:
• Change management
• Risk management
Manage the right collection of CTI feeds. CTI feeds, especially the commercially
available feeds, often require considerable investments in subscriptions and
technology. Ensure that your CTI practice has the ability to measure the expected
11
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
intelligence value of new CTI feeds, in terms of value to stakeholders. Only ramp up
your CTI feed investments when you clearly understand the impact.
Deliver stakeholder-focused CTI solutions. Creating business value from CTI relies
on a nuanced understanding of the information needs of the key stakeholders in
the organization. Even with the support of a CTI practice, it ultimately falls upon
the stakeholders to execute on a successful strategy of deterrence, defeat and
prevention. For a CTI practice to make a positive impact, the practice team has to
understand who the key stakeholders are, what questions they need answered, how
they prefer to consume intelligence and at what cadence.
• Incident Response (IR) and Operations teams require ad-hoc, bespoke intelligence
related to tools, modus operandi, associated campaigns, actor intents and
attributions, and forensic data on points of compromise.
12
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
• IT architects require up-to-date communications on key threats to common
approaches to IT security, so as to ensure alignment between the configuration of IT
infrastructure with the reality of ongoing cyber threats.
13
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Cyber Threat Intelligence Relies on TIPs
When planning technology support for a CTI practice, ensure that your Threat
Intelligence Platform (TIP) supports the following core competencies:
Requirements:
• Compatibility with TAXII, FTP, Email, Web APIs, proprietary APIs and other
transport mechanisms
• Compatibility with STIX, PDF, CSV, JSON, OpenIOC and other data formats
• Support for source ratings, with markings and indications of how information
should be handled (e.g. Traffic Light Protocol)
Requirements:
• Entity de-duplication
• Entity whitelisting/blacklisting
14
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
3 Enrichment
Internal and external data sources can enrich CTI feeds with additional information,
allowing for further determinations of threat correlation and relevancy.
Requirements:
Requirements:
• Advanced search
• Triage workflow
5 Complex analysis
Empower the analyst with visualization tools and other powerful resources for core
analysis.
Requirements:
• Graph analysis
• Export functionalities
6 Threat register
Manage structured information about threats affecting the entire organization,
actively tracking present understanding and expected exposure.
15
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Requirements:
• Case management
• Campaign management
• Topic management
• Concern management
• Stakeholder management
7 IOC management
Validate and track Indicators of Compromise (IOCs) and warning signals associated
with key concerns. Ensure analysts have granular control of the validity of IOCs and
warning signals, and use the resulting data to improve detection, prevention and
response capabilities.
Requirements:
• Support for alterations of IOCs and warning signals for integration into IT security
controls
Requirements:
• Threat reports
16
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
• Campaign reports
• Courses of action
• Analyst workflow
• Support for unstructured formats (e.g. Microsoft Word, PDF and emails)
Requirements:
• Compatibility with transport mechanisms including TAXII, FTP, email, web APIs and
other proprietary APIs
• Compatibility with data formats including STIX, CSV and proprietary formats
17
A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
About EclecticIQ
EclecticIQ’s mission is to restore balance in the fight against cyber adversaries. Its
flagship product EclecticIQ Threat Intelligence Platform enables operationalization of
security information exchange, empowers collaborative analyst workflow and ensures
timely integration of cyber threat intelligence detection, prevention and response
capabilities.
18
EclecticIQ is a privately held company
headquartered in Amsterdam, the Netherlands,
and holds an office in London.