One of the most important concepts in the world of information security today is defining and building an effective Cyber Threat Intelligence capability. To ensure that all the concepts are covered, we have teamed up with Cyveillance, a world leader in cyber intelligence, to create a storyline that covers the following topics.
We start with discussing why the notion of defining an effective capability is so important. As we will see, threat intelligence is one of the buzzwords of the day, but it means different things to different people. As a result, it can end up meaning next to nothing, unless you define it according to your organizationâs individual goals.
As a cybersecurity professional, you may have been exposed to the current trend to discuss, plan, or even build and operate some kind of cyber threat center, âsuper SEIM,â super SOC or whatever your particular organization may have chosen to call it. Despite a lot of buzz, startup money, and industry discussion, what we have seen most often is that there are far more organizations in the âplanningâ stage, the âthinking about itâ stage or the âwondering if itâs a good ideaâ stage than those successfully operating a functional center, and it is for that larger group, that is, those who are not yet in operation, or are just getting started, for whom this book is intended.
Thereâs a lot of technical jargon thrown around, but in our opinion, it really boils down to the following: Why, What, How and Who. Each of those elements will be tackled in detail in the following chapters. You will also be introduced to an easy-to-follow process to translate your objectives â or the âwhyâ in colloquial terms â into activities and needs, or the âwhat.â With this information at hand, you will be able to determine what intelligence you would need on the basis of those objectives, that is, the options available to you to build a program, and how the process can be implemented to make your center or threat intelligence capability a reality.
Another key aspect we cover is an overview of the common landmines that organizations tend to step on. This book will go over the keys to successful implementation, which is really a nice way of saying how to avoid stepping on those landmines! Then, and only then would it be worth discussing who the right vendors, partners, or employees are to build, staff, and run your cyber threat intelligence program.
Last, but not by any means the least, the book will cover reporting and management communication as well as its importance in an effective threat intelligence operation. From there, the conversation will come to an end at the âblock and tackleâ planning, budgeting, and submitting a request for money stage, without which none of this happens.
Before getting down to the nitty-gritty of cyber threat intelligence, we would like to share a quote. Taken from Lewis Carrollâs Alice in Wonderland, it is part of a conversation between Alice and the Cheshire Cat, but it is also applicable in real life while talking to stakeholders in the planning or thinking stages of building a threat intelligence capability.
Alice: Would you tell me please, which way I ought to go?
The Cat: Well that depends a good deal on where you want to get to.
Alice: I donât care much where.
The Cat: Then it doesnât matter which way you go, does it?
Any threat intelligence program that does not support a clear business objective; pursue a well-defined mission that is bounded, scoped and relatively rigid; work within a set of clear expectations in a portfolio of responsibilities that everyone agrees to; and meaningfully report metrics that matter to management and budget holders is doomed, in our opinion, to fail.
These factors are critical to understand at the outset for defining and building a threat intelligence capability. If you do not ensure that these elements are considered, if you do not set out with a clear end state in mind, you are like Alice talking to the Cheshire Cat. If you do not know where you are going, it is easy to meander about, spending time and money, with no clear idea of where you are going, or knowing if you are actually getting any closer to your destination.
Threat intelligence is absolutely the buzzword âdu jour.â It is being used to seek venture capital and fund start-ups. It is being aggressively pitched to the enterprise market by the provider industry as the solution to all their woes. Well, to put a fairly aggressive stake in the ground, we would argue that the majority of what is being sold and billed as âthreat intelligenceâ is not. It is data. From lists of bad IPs, or application vulnerabilities, or malware signatures, or URL blacklists, to botted nodes, or botnet C2 servers, or social media data; from open source or web-based content to RSS feeds and IRC channels, in their initial form, none of these things is âintelligence,â they are data.
2.1. Data feeds vs. intelligence
Our contributing editor, Cyveillance, will tell you they love data. Data is great! They produce data, buy data, sell data, and there is no question data plays a pivotal role here. However, we are going to cover the subject of data as it relates specifically to building a threat intelligence capability, and there is an absolute distinction between data and intelligence. So, in the spirit of âa problem well-defined is half-solved,â we can save a lot of confusion if we start by explicitly defining the differences bet...