Setting Time Expectations for RFIs

To effectively respond to events and incidents, cybersecurity defenders rely on their knowledge of various topics, e.g., DNS, HTTP, TCP/IP, LoLBINs, Windows services, processes, threads, WMI, Mimikatz, and more. The more a defender understands these technical topics, the more efficient and thorough their investigations will be.

During an incident, the ability to contain and eradicate a cyberattack as quickly as possible is critical. Runbooks, incident response plans, and ongoing technical training for cybersecurity defenders help improve an organization’s ability to respond quickly and effectively to cyberattacks.

During an incident, leadership wants answers, and they want them quickly. This expectation for speed from defenders is realistic. Quickly containing and removing malware is critical to reducing the impact of an attack. However, Cyber Threat Intelligence (CTI) analysts operate very differently from defenders, and expectations around the work CTI analysts perform need to align with the nature and process of their work. For this reason, it’s not realistic to expect CTI analysts to answer questions or respond to requests for information (RFIs) immediately.

It can take CTI analysts a fair amount of time to produce an RFI assessment/report. The CTI process includes the following:

  • Identifying requirements/Getting direction
  • Collection of data and information
  • Analysis
  • Production of the result/assessment

How much time depends on the goals, objectives, and requirements set. Containing and eradicating malware is independent of knowing its capabilities.

Speed is necessary during an incident, but comparatively, the work performed by CTI analysts requires slowing down. CTI work must focus on the goals, objectives, and requirements rather than on the speed of performing the work. That’s not to say timeliness is not essential. Timeliness is necessary as it facilitates opportunities for cybersecurity operations, such as new detections and threat hunt opportunities.

I recommend setting expectations by defining RFI confidence levels. Each confidence level will require a different level of effort for the analyst. Standard confidence levels include:

  • High Confidence
  • Moderate/Medium Confidence
  • Low Confidence

Qualities of high-confidence assessments include:

  • High quality of supporting evidence from multiple trustworthy sources
  • No evidence against
  • Minimal to no conflicting evidence among sources

Qualities of moderate/medium-confidence assessments include:

  • Significant evidence is missing
  • New evidence could invalidate the current assessment
  • Alternate or opposing views may exist

Qualities of low-confidence assessments include:

  • Little supporting evidence is available
  • Plausibility is uncertain
  • Other hypotheses are equally likely

High-confidence assessments will likely take longer than low-confidence assessments. That’s not to say that a request for a high-confidence RFI is submitted, but there’s a lack of supporting evidence. So, the CTI analysts can only make a low-confidence assessment and can do so within two hours.

The following table demonstrates how confidence levels can be defined to include time, i.e., level of effort.

Every RFI must include a confidence level. The confidence level requested will depend on the context and circumstances of the RFI. It is possible to define a few examples of cases for RFIs and context based on possible events.

Organizations with RFI confidence levels and example use cases will find themselves successfully operating an efficient and effective RFI operation with clear expectations.

So, we want our cybersecurity defenders to work quickly, for example, to contain and remove malware from a system. And we want our CTI analysts to work differently, take their time, and perform a thorough and complete assessment without feeling pressure to rush.