Great Threat Intelligence: Do’s and Don’ts

You are the CEO or CISO of an organization and want to build a threat intelligence capability. Good decision. Now, get ready to roll up your sleeves.

When it comes to talent acquisition, the future success or failure of a new Threat Intelligence team rides on making the right personnel choices, starting by identifying someone to lead the effort.

How do you design the team? Who do you hire?

Often, this decision gets made based on seniority. Companies like to promote from within, or choose trusted colleagues. But intelligence is unlike anything else in the information security sector. While there may be a natural temptation to promote a great manager or top technician, that choice will almost certainly have unintended negative consequences.

Let’s be blunt: Appointing a leader who lacks the requisite knowledge of proper analytic tradecraft and standards will very likely produce flawed intelligence – and flawed intelligence is worse than no intelligence at all.

Imagine an organization that received an extortion email demanding cryptocurrency to avoid a DDoS attack. While I recommend against paying ransom in nearly all cases, you need to know whether the threat came from a viable threat actor in order to make a proper risk assessment and determine the best course of action. A very credible threat against a critical system that might result in deaths (i.e., hospital systems) may warrant a payment. Conversely, paying a threat actor who poses no credible threat will likely embolden other to launch copycat attacks. Reliable intelligence empowers the targeted organization in this scenario to make informed decisions regarding the risk/reward of paying the ransom.

This is why I believe the director of your Threat Intelligence Team needs to be a seasoned intelligence professional. Ideally, they will have a signals intelligence (SIGINT) or human intelligence (HUMINT) background, along with demonstrated skills in fused intelligence, executive communications, and cyber operations.

This is neither an easy hire nor a cheap one. But this is the person who will most impact the success or failure of your threat intelligence initiative. In other words, this is a hire you cannot afford to get wrong.

The mindset of an intelligence analyst, and the role they play, is diametrically opposed to someone with a traditional information security background (e.g., incident response).

What’s more, plucking gifted needles from the haystack of Intelligence Community (IC) candidates with seemingly impressive resumes requires intimate knowledge of the various organizations within the IC – including 17 different intelligence agencies and all five branches of the military.

How should you assemble a threat intelligence team? There is no single answer to the question, but I think inquisitiveness is the single-most important trait to seek out in anyone filling an intelligence role.

People who consistently ask “how?” and “why?” when presented with new information are going to have the passion to seek answers that go beyond just checking boxes. As for specific roles, threat intelligence teams need to mix data science, computer science, network engineering, reverse engineering/hacking, and traditional intelligence analysis and reporting skillsets. Expecting to find unicorns who are great all, or even many, of these skills is unrealistic.

A more reasonable path is to assemble a team of specialists who can do what they do better than anyone, and can demonstrate that either through past work or in an interview process. Some candidates will have skills in more than one area, but there are no human equivalents to the Swiss Army knife. I also recommend a dedicated editor, although it is common for a senior analyst (or several) to handle those duties.

What Tools and Inputs are Required?

Once the team is assembled, the question turns to what inputs will be consumed and processed, and how? Assuming your Director has assembled a staff consisting of the right mix of analysts, researchers, and reporters to properly support the demands of your organization, here is what that team will need to succeed.

-Threat Intelligence Platform (TIP): It’s highly desirable to start with a TIP. This will be the hub for all inputs into the intelligence team, including open source news, ISAC information, intelligence feeds, and network data. While a team can work without a TIP, the efficiencies gained through the use of a TIP will result in a more agile intelligence team capable of turning intelligence into action far more efficiently.

-Network Data: The Threat Intelligence team needs to have unfettered access to all network data, much like an Insider Threat program might. As intelligence is highly dependent on access to data, the more the Threat Intelligence Team can access the better the results will be

-Open Source Data/Information: News, journals, blogs, and social media (among other sources) can be ingested into the TIP with the intent of correlating what is being seen and reported outside of our networks with the network data the threat intelligence team has access to

-Information Sharing and Analysis Center (ISAC) Information: ISAC’s provide information that is often very relevant to our specific industry, but it is important to note that the information is often not well-vetted. This should be treated as valuable, but not as gospel. Integrating this information into the TIP can be useful for an indications and warnings (I&W) program, as the first indication of an attack campaign is often the earliest reported victims.

-Third Party Intelligence Vendors: The most cost-effective way to add intelligence to a team is to work with vendors who already have access to network data and offer reporting on their findings. A professionalized Threat Intelligence program should employ 3-5 vendors providing data feeds (indicators of compromise with context) and finished intelligence products. Ideally, those vendors will have some overlap, to improve confidence levels, but no more than 25%. Additionally, vendors who focus in areas beyond network telemetry (e.g., Dark Web, Open Source) are a vital complement to net-centric intelligence.

-Reporting Tools: Microsoft Office products (Word, Excel, PowerPoint, etc.), in conjunction with network mapping and visualization tools, provide a robust toolbox for reporting intelligence at minimal cost. More mature organizations may choose to develop customized tools to more directly integrate their threat intelligence into cyber defenses.

The combination of top talent and superior access to data and information is the engine that drives intelligence production. Take the time to choose wisely. Shortcuts will cost more than you can imagine and trying to save in the short-term could very well cost you dearly in the long-run.

Liked this blog? You also may be interested in this one: 4 Things You May be Doing Wrong with Threat Intelligence