Rethinking Cyber Threat Intelligence

By Justin C. Klein Keane, Director, MorganFranklin Consulting

The promise of cyber threat intelligence (CTI) was always that, as a global community, blue teams could share information about badness that happened instantaneously and proactively utilize indicators of attack (IOAs) or compromise (IOCs) observed by others. IOAs and IOCs are known as tactical CTI.While this was a wonderful premise, there were several practical implementation impediments that degraded the value of tactical CTI.

The first and foremost impediment was the idea of a trusted source of this intelligence that would vet and verify it. As competitors in the marketplace sought to move more data faster to consumers, the fidelity of that data declined dramatically. Attackers learned to change up their Tools/Tactics, Techniques, and Procedures (TTPs) to stay ahead of detections and contributors to the ecosystem varied in quality. Rather than realizing value, consumers of tactical CTI found that it added operational complexity without reducing risk and more often resulted in errors and outages than preventions.

In addition to quality and timeliness, organizations quickly realized that what might be bad for one contributor might not present a threat to another. For instance, TTPs associated with a threat actor that never targeted your organization were, in essence, worthless. Unfortunately, many CTI teams got stuck in the rabbit hole of monitoring, researching, enriching, and tracking threats that had been observed globally, but had never presented themselves locally. While this sort of tracking makes sense for a nation-state, it rarely does for a business. Eventually, security leaders began to question the value of their investment in CTI and often found no practical return for their investment. This outcome led many organizations to deprecate their CTI capabilities.

If we frame the value of CTI to direct applicability for an organization, and the correlation of intelligence to observed threats, we can rethink the paradigm of high volume, low fidelity, low probability threat intelligence gathering and tracking. Instead of focusing on the global corpus of threat intelligence, organizations can reverse their orientation to a very local scope and derive higher value for their efforts.

Knowing that an APT group uses spear phishing to gain initial access is debatably valuable to any specific organization, but knowing that a threat group has deliberately targeted your organization and being able to track and correlate that activity over time is pure gold. Being able to advertise that the CTI team is tracking threats directly observed in the business justifies the CTI team’s existence by drawing concrete connections between threats and the business. Long-term actor tracking shifts from threats that might affect the environment to threats that are actively or repeatedly targeting the environment.

Shifting the focus to this valuable, high-fidelity, tactical CTI requires data originating from security operations. Security Operations Center (SOC) analysts spend their days triaging, investigating, and responding to alerts. If an organization can take the TTPs that SOC analysts identify and known threats, and then track and enrich those and provide feedback to SOC, then a synergistic value loop can result.

As SOC analysts conduct investigations, they need a mechanism to submit Requests for Information/Intel (RFI) to the CTI team. The CTI team can take Indicators of Compromise (IOCs) or TTPs identified by the SOC and record them in a database or a Threat Intelligence Platform (TIP) and provide correlation, enrichment, and research to enhance the RFI. SOC analysts can use this new information to expand their investigation, enabling better operational cybersecurity defenses. The CTI team can build a corpus of data derived from the observed activity in the environment and do their own independent long-term actor tracking with easily defensible value since the threats have been positively identified locally.

Using operationally derived data to feed the CTI team can also create more direct and actionable interactions between CTI, Threat Hunting, Detection Engineering, Incident Response, and other teams because CTI can provide relevant data to these teams about the threats that are provably targeting the environment. This also transforms any CTI reporting to executives from speculation about potential threats into specific accounting for threats that directly target the business and rise to a high level of concern.

Although developing this capability is relatively straightforward for most organizations, a mechanism to submit RFIs to CTI teams that is low friction and integrates into SOC investigative lifecycle is critical to success. SOC must submit consistent volumes of RFI to feed the CTI team.  Metrics can be used to drive this success here. Requiring SOC analysts to submit RFIs for IOCs and TTPs observed during their operations can be set as an expectation. Analysts’ RFI submissions can then be tracked for volume and quality. The SOC Quality Assurance (QA), or review process, which evaluates investigations after the fact for quality, accuracy, and efficacy, can include an evaluation of whether candidates for RFI were properly identified and submitted. Similarly, the CTI team can be evaluated on how they respond to RFIs and return enrichments to the SOC. It’s also possible to measure CTI teams on how accurate, correct, relevant, and timely the intelligence produced is.

Once SOC and CTI teams are tightly integrated, an organization can build a robust corpus of CTI in their TIP that is directly applicable. The CTI team can develop high-fidelity reports, track threats over time, develop relevant trend and gap analysis, and provide high-quality recommendations and observations to senior leadership. CTI can point to the direct value of their efforts and justify their existence in concrete terms.

Shifting to an operationally focused and sourced CTI program is relatively easy and low-cost, especially utilizing free tools such as OpenCTI. Armed with just a few procedural changes in SOC and a skilled CTI team any organization can derive direct and long-term value from IOCs and TTPs flowing through SOC throughout the day. This can translate into a high-value, easily defensible program that can support SOC and the integration of multiple other parts of mature cybersecurity defensive teams.