Cyber Threat Intelligence (CTI) encompasses the people, processes, and technologies that a Company uses to proactively identify and mitigate threats to its brand, assets, employees, third parties, and clients. In simple terms, the goal of CTI is to stay one step ahead of malicious actors and take action before an attack occurs or avoid the attack altogether. Activities supporting a Company’s CTI program typically fall into four categories:
- Risk Assessment
- Risk Monitoring and Analysis
- Risk Remediation
- Continuous Risk Management
To properly protect itself from cyber-attacks, a Company needs to establish a thorough and detailed inventory of its cyber risks. At the conclusion of the assessment, a Company should be able to answer the following questions:
- Why would someone attack us?
- What do we have or do that would warrant an attack?
- How would someone attack us?
Although the questions seem simple, the answers will require time and effort to effectively generate a complete list of cyber risks facing a company. In order to understand and identify all cyber risks, supporting activities will need to include the following:
- Developing a complete inventory of technology assets.
- Developing a complete inventory of data that requires protection.
- Developing a complete inventory of supporting third parties.
- Identifying all Company executives that may be impersonated by malicious actors.
- Identifying specific risks within the industry in which a Company operates.
In simple terms, the analogy of protecting a castle could be used. If an enemy wanted to invade a castle, how would they do it? A smaller castle with fewer windows and gates may be easier to protect than a larger castle with several entry points. Identifying defensive mechanisms to keep people out is easier than identifying defensive mechanisms to keep bugs out. A Company’s resulting risk register or inventory of attack vectors will and should differ depending on their size and complexity.
Risk Monitoring & Analysis
Once a Company has identified its risks and attack vectors, the next step is to evaluate data sources that may contain relevant information that indicates an applicable attack is imminent or identify applicable vulnerabilities. Activities supporting Risk Monitoring and Analysis include the following:
- Identifying applicable data sources.
- Processing data to identify applicable threats.
These two activities may be the two most challenging and time-consuming within a CTI function. Identifying all data sources, safe methods to access and process the data, and mapping those data points back to identified attack vectors and risks requires skilled staff with the knowledge and skills to perform effective cyber reconnaissance and threat hunting. The goal is to be able to turn extensive amounts of data into actionable alerts.
What Are Data Sources?
Data sources include any platform, network, website, or data repository that may contain information that could potentially identify threats to a Company or identify indicators of attack (IOA). There are thousands of potential data sources that should be considered when hunting for threats. Examples include but are not limited to:
- Social networks
- Online forums and blogs
- Dark web
- Paste sites
- Popular websites
- Collaboration platforms
- Mobile app stores
- Source code repositories
Data Processing & Analysis
Once data sources have been identified, the data then needs to be processed and analyzed to identify applicable threats to a Company. Identifying applicable data points and mapping them back to a Company’s unique attack vectors is a complex and challenging process. The amount of data can be overwhelming. Many companies utilize third-party CTI tools to provide support and perform these activities. Third-party tools may incorporate data mining, machine learning, artificial intelligence, and human expertise to help produce and present actionable intelligence and make sense of the vast amounts of data.
Once threats have been identified, remediation and mitigation activities occur to reduce or eliminate a Company’s susceptibility to an identified attack. Remediation efforts will vary depending on the identified threat. Remediation use cases may include the following:
- Identified vulnerabilities will require patching.
- Leaked credentials should be locked and reset.
- Data leaks should be eliminated or fixed.
- Block malicious sites, domains, or email addresses.
- Provide specific training (i.e. Security Awareness Training) or warning to employees.
- Work with Legal, external ISPs, websites, and forums to take down false information, spoofed domains, stolen credentials, and IPs.
As noted above under data processing and analysis, Companies may choose to use a third-party tool to help with remediation. Third-party CTI tools may include automated remediation services to help quickly mitigate or remediate identified threats. Examples may include automatic policy, software, and firmware updates, domain take-downs, and automatic updates to blacklists and ACLs. Incorporating automated remediation capabilities can dramatically reduce a Company’s susceptibility to identified threats.
Continuous Risk Management
It’s imperative that Companies continually re-evaluate identified cyber risks and attack vectors to ensure their defined digital footprint and perceived threat landscape remain current. As a Company’s business evolves, so too does the technology and data that support the business. The evolution of external forces also plays a role in evolving or transitioning risks and attack vectors. Data pertaining to identified malicious actors and attack methods needs to be continually enriched to help a Company maintain a competitive edge over the known or unknown threats.
What Are Cyber Intelligence Tools?
A CTI tool could be defined as any tool or suite of tools that help a Company inventory, analyze, remediate, and manage threats. While a Company may employ several vendor-agnostic tools or solutions within its security stack that support its CTI function, several third-party tools, or platforms, exist that represent themselves as all-in-one SaaS CTI solutions.
While there are a number of SaaS CTI platforms on the market, a few years ago, at a previous employer, I tasked one of my teams with identifying a shortlist of platforms that they felt could strengthen our security posture. Based on my team’s research, IntSights, Recorded Future, and ZeroFOX made their list. While the CTI market has changed since my team performed the evaluation and while I don’t officially endorse any of these products, I have great respect for my co-workers who performed the evaluation and for that reason have noted their results. The results of their analysis were based on the following criteria:
- Quality of threat intelligence
- Sources of threat intelligence
- Platforms covered (dark web, social media, etc.)
- Automated remediation capabilities
- Ability to remediate findings identified by other third-party tools
- Analyst support
- Ease of integration with other third-party products
- Tech support to develop additional integrations if necessary
- Data retention
- Cost of threat intelligence vs cost of remediation
What Are the Costs & Benefits of Outsourcing Cyber Threat Intelligence?
In addition to potential high-level benefits associated with any outsourced service or function, SaaS CTI solutions claim they are able to pull from more data sources, look deeper, analyze better, and offer remediation tools that allow Companies to see potential threats quicker and remediate before any attack happens.
Human capital is one advertised benefit that shouldn’t be overlooked. Anyone who has worked in security knows or has seen firsthand the effects of alert fatigue and burnout on their security and incident response teams. Coupled with the challenges of finding competent and skilled personnel, it’s important to keep security personnel engaged, happy, and focused on the unique issues and challenges that require internal attention. Opportunities to outsource alert fatigue or the task of filtering through a sea of potential false positives should always be considered.
While I do agree that SaaS CTI platforms can offer significant benefits, every Company needs to perform their own due diligence and analysis to determine if outsourcing their CTI function (if they have one at all) makes sense for them. Although several opinions exist on how to properly evaluate the ROI or outsourcing of any business process or function, I came across a great Forrester Consulting study on Recorded Future’s website titled “The Total Economic Impact of Recorded Future Intelligence Platform”. Although the study was commissioned by Recorded Future for their product and for large enterprises, I felt like Forrester established an effective evaluation framework that could be used by any Company to evaluate the benefits and cost savings of a SaaS CTI platform using their own data points and metrics.
How Does Cyber Threat Intelligence Apply to the SOC 2 Trust Services Criteria?
Depending on a Company’s understanding, interpretation, and implementation of a CTI function, the processes, and technologies that comprise a CTI function or platform touch on and support a number of the SOC 2 Trust Services Criteria. Specifically, the following sections, as noted in the AICPA TSCs:
- COSO Principles
- CC2.1, CC3.2, CC3.3, CC3.4, CC4.1, CC5.1, and CC5.2
- Logical and Physical Access Controls
- CC6.1, CC6.2, CC6.6, and CC6.8
- System Operations
- CC7.1, CC7.2, CC7.3, CC7.4, and CC7.5
- Risk Mitigation
- CC9.1 and CC9.2
- Additional Criteria for Availability
- Additional Criteria for Confidentiality
The CTI function should be a critical component of every Company’s security stack and practice. While every company’s CTI function should be uniquely built based on its unique risk landscape and attack vectors, the concept of proactively identifying and remediating identified threats strengthens a Company’s security posture and reduces its risk of compromise.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.