Senior Director, Technical Cyber Threat Intelligence
Ken Dunham brings more than 27 years of business, technical and leadership experience in cyber security, incident response and cyber threat intelligence to his position as senior director of technical cyber threat intelligence for Optiv. In this role, he is responsible for the strategy and technical leadership to mature Optiv’s data integration and innovation of intelligence-based security solutions.
Cyber Threat Intelligence Requires Commitment
It’s been said that in a breakfast of bacon and eggs, the chicken is involved but the pig is committed. This saying is relevant when implementing a cyber threat intelligence program. You must be committed in order to succeed. In this blog post, I’ll explore some of the common pitfalls of implementing a cyber threat intelligence program.
One method for implementing cyber threat intelligence is to allocate existing staff to a new cyber threat intelligence effort on a part-time basis. This rarely works because cyber threat intelligence is not a part-time job, especially for larger organizations. If a business is attempting to formalize a cyber threat intelligence process and/or governance program they are likely a larger and more mature company (related to their cyber security needs). Due to the large operational and process needs that accompany a new cyber threat intelligence solution, let alone knowing the threats and responding to them, a part-time solution predictively fails. Even if it’s a team of part-timers, a dedicated staff member is the better solution than staff that get pulled into other more traditional roles daily.
Chasing Shiny New Objects
Nope, there still isn’t a silver bullet or magical product that you can buy that actually does the work of cyber threat intelligence. Tools are limited in scope and capabilities and can be easily identified and subverted by more sophisticated adversaries. Most importantly this type of culture and attitude is inherently flawed, attempting to shift responsibility and/or blame to a tool instead of to key stakeholders. People are your most important investment and value in a company and should be positioned as such for a cyber threat intelligence program. Get the tools necessary to support their job functions and known measurable outcomes, but focus on the people meeting your needs not a tool.
Companies also, all too often, rely upon a handful of intel sources not realizing that some are more trusted and credible than others. A small example of this may be anti-virus detection results. If I have a trusted name brand that is credible I will put more stock in such a detection by that company than a non-name company I’ve never heard of before. But what if you trust a certain feed or website for your intel and it’s perhaps sensational, conjecture, assumptions, or may have false positives or information that is, well, not so great? The last thing you want to do is read a blog with an inherent sense of trust that makes assumptions and leads you down the wrong path on attribution or threat correlation. Ensure your sources are vetted for content, relevancy, accuracy, timeliness, and coverage to best meet your cyber threat intelligence goals.
One more ‘rant’ on sources as long as we are on this subject: open source is the last thing you should be focused upon. Open-source intelligence (OSINT) provides the least specific, least actionable data that you can ingest. Your cyber threat intelligence program should first and foremost focus upon your own events, threats, and how you handle and process those. Once you have your own ‘household’ taken care of you can worry about your neighbors.
Jump First, Look Later
I’m a big fan of fight over flight– but doing that without a game plan is very unwise. Companies that rush in to buy and build a little of this and that will face major struggles when they attempt to mature, operationalize, and integrate their solutions over time, lacking a strategic roadmap.
Take for example a company that hires an internal IT staff member who programs in Python to perform OSINT collection on indicators of compromise (IOCs). Before long, a massive list of IOCs will exist, but then you’ll realize you have to remove duplicates, manage de-obfuscation from multiple sources, that trust and confidence varies based upon the source, some IOCs are legitimate abused websites, some are legitimate IOCs that should be whitelisted, and so forth. Wow, it got complicated really quickly and I didn’t even finish the list for the sake of the reader. Jumping first, without a game plan and roadmap will lead to problems where you may have to undo all you did and start over or face other major costly challenges operationally.
High-level objectives for a cyber threat intelligence program leads to a lack of alignment for goals, process, and personnel. Be specific if you want to have specific outcomes. Focus on the outcomes, not the output.
Being specific is essential when it comes to IOCs, including meta-data. This is a field where all too often we get a ‘dump’ of IPs or domains on some blacklist. Why were they put on the blacklist? When did they get on the list? When does the blacklist drop them and why? Is there any other meta-data associated with that IOC that helps me make informed decisions?
If you have a flat blacklist type program you’ll miss important details that make a huge difference. Take the example of dropping any IOC after 15 days because it’s likely cleaned up by that date (note the assumption of abused and cleaned up instead of rogue). This is often a solution to an operational challenge on how to handle big data. What if it’s an espionage based IOC that is persistent…why would you EVER remove that IOC from the list? Worse, if someone sees an event or incident related to the IOC and they have no meta-data to help create context, they then have to do the work all over again to figure out if it’s bad or not and what to do. This screams inefficiency, lack of consistency, and well, I’ll stop there. It’s not a good outcome. Be specific, you’ll thank me later despite the slightly higher level of effort up front.
Lack of Cyber Threat Intelligence Practitioner Leadership
Whom do you have on staff who is a leader in the cyber threat intel space? Are they government trained, strong in the art of process and geopolitical threat actor- based research? Are they commercial trained, strong in the art of technical research, correlation, and attribution? Do they have estimative language and analytical tradecraft, and critical thinking skills? Most importantly do they have a proven record of three years or more on the front lines of information security using, creating, or maturing cyber threat intelligence? We all know the answers to most of the questions are no, and if I could afford to hire such a person and they would be willing to move to my city, of course I’d hire them…but they don’t exist in most cases. How then do you expect to have insight and thought leadership, applied to your specific program needs, if you don’t have a leader on staff? Hire a consultant, hire a guru, but don’t attempt this without some expert help. It’s worth every penny if you do your work up front, are prepared, and organized once you enter into the consulting phase of building out your cyber threat intelligence program.
Johnny IT can do this Job
Hiring IT staff to do security intel work has been identified by some notable sources in the industry as a strong indicator that your company will be breached. They may be skilled IT folks but thinking and acting like a cyber threat intelligence security staff member is an entirely different process. Additionally, anyone from inside of the organization will likely face political challenges as cyber threat intelligence changes things culturally for most companies. Often, you’re viewed as the bad guy, much like that of infamous auditors, attempting to shine a light into places people don’t want exposed. It’s very hard to build a culture where transparency exists, it’s okay to have problems but only with ownership to improve, etc. Make sure you’re not taking the easy route and just hiring IT staff into your cyber threat intelligence team.
Work in a Silo
If you work as a siloed cyber threat intelligence team you won’t have the greatest success possible compared to those that intentionally message upwards to key stakeholders in the executive suite. Without a doubt your goal is to always be communicating in ways they can best consume and understand and apply to the larger business goals, objections and mission. Executives should understand the value of cyber threat intelligence and how to best mature and position it to lower risk for the company. Ensure you are intentionally involving them in your updates and operations, monthly at a minimum.
Communication is not only essential with key stakeholders but within operations. All too often there are issues on how new cyber threat intelligence teams do or do not communicate with various other teams during a crisis. Establishing escalation paths and relationships are essential if you are serious about an effective cyber threat intelligence program.
If you get too involved in a specific threat you may lose sight of the bigger picture. Take for example the threatscape of an individual company on a given day. If the cyber threat intelligence team camps out on a new email phishing threat but fails to also be aware of possible espionage activity taking place at the same time, it’s a fail on some level. Intentionally building out cyber threat intelligence process, people, and actions are essential to managing the diverse needs of an organization without getting bogged down into a single threat or security event.
Relying on Johnny AI
For all the talk that exists on the street today about orchestration and automation, machine learning, and artificial intelligence, none of it will be successful if there isn’t a trusted process under the hood. Work on the basics, like how to block and tackle as a lineman in the NFL, and you’ll be far better off than those that jump to an AI solution to automate or fix their intel problems. There is a time and place for such solutions but it is not when you are first developing a cyber threat intelligence program.
Focus on Output Instead of Outcomes
I’ve said it before and it’s worth saying again – we must focus on the outcomes not output. More information and ‘intel’ is just noise unless you have it tied back to something specific and actionable both in the intel process and in how you then act upon that within your organization. This often becomes a challenge for an organization after they have processes in place, where staff then rely on that process instead of individual ownership to focus upon the desired outcome.
Believe it or not I actually controlled myself and didn’t fully expand on everything I could have spoken about here in this blog. Wow, it’s a lot, and some of these challenges are likely monumental for your organization. If you make the intentional decision to develop a cyber threat intelligence program you can do it, and it doesn’t have to be painful but it will be hard. It involves serious commitment, and plan for at least two to three years to really get hummin’ on the operational front. Be committed, ensure that failure is not an option but you will have challenges along the way, get a game plan together and work on process, people, and communication as starting points for your cyber threat intelligence program.
Bacon and eggs for breakfast anyone?