By Mark Arena, CEO of Intel 471.
When it comes to cyber threat intelligence, the big question that comes to mind when evaluating intelligence or intelligence collection, external from a vendor or internally generated, is whether it is relevant to me and my organization. If you read my previous posts, you would have seen that I measure relevance as whether it satisfies established intelligence requirements. Simply put, actionability is a reflection of internal capability. However, this post is really about explaining the benefits of focusing on threat actors that could impact your organization and not just the threat actors that are already impacting your organization.
One of the common issues I see in the cyber threat intelligence industry is a myopic view of cyber threats whereby we see cyber threats as not being relevant to my organization if my organization isn’t being impacted right now. On that point, I’d like to step back to the overall objective of an intelligence program, which is to reduce risk in an organization whereby risk is the probability of an event occurring multiplied by the impact of the specific event.
RISK = PROBABILITY x IMPACT
We are really trying to reduce two elements of a risk being realized, the probability of a risk occurring or the subsequent impact of the event. There are only two ways we can reduce risk:
- Block, stop or reduce the probability of an an event occurring
- Reduce the impact of an event if it occurs or has occurred
If we solely focus on cyber threats where our organization has already been impacted, we have already missed the opportunity to stop an event from occurring. Examples of doing this includes:
- Looking in your network for known indicators of compromise
- Monitoring Pastebin for data dumped from your organization
- Identifying and recovering compromised customer account credentials
The above elements can be valuable in reducing impact for events but if done in isolation, will not provide your organization with the full benefits of having an intelligence program.
At this point you would be wondering how to tackle the probability part of the risk equation. We can do that in a couple of ways but mainly I like to remember these two assumptions:
- The threat actors that are impacting me are also impacting other organizations like me.
- The threat actors that are impacting other organizations like me will likely impact me at some point.
At a basic level, this means to proactively examine threat activity against other organizations in your vertical or sector. If you are able to look into this activity and obtain enough detail, then you will be able to proactively block or detect this activity through policy or security control changes.
I sometime describe intelligence as a field as being similar to profiling in the criminal world. A criminal profiler seeks to look at available information and evidence and deduce the likely profile of a perpetrator for a crime. It isn’t an exact science but on the balance of numbers, a criminal profiler should pay off more often than not. Our intelligence program is similar in that it isn’t an exact science but it doesn’t take a big leap in thinking to see that a threat actor affecting an organization in your sector is likely to turn their sights to your organization at some point. This is how we make our intelligence products predictive but we can’t do that if we only shift focus when our organization has already been impacted.