What on earth can Kentucky Fried Chicken and good cyber threat intelligence (CTI) have in common? Do they both have a secret recipe? Are they both finger-licking good?
No. It is a lot simpler than that. Both KFC and good intelligence have three things in common.
- They have both relevant
- They are both timely
- They are both actionable
These are the key pillars to having a finger-licking good time at KFC and are the backbone of what makes threat intelligence good.
My years of sifting through threat intelligence have taught me that whenever you assess the intelligence your CTI team is ingesting, you should always measure it against these three metrics. If the intelligence fails in any of these three. It’s time to improve its quality and, with it, the overall effectiveness of your CTI program.
Let’s dig in and see how these three metrics can help you assess what good threat intelligence is.
Good Threat Intelligence is Relevant
Cyber threat intelligence needs to be relevant to the organization you are protecting.
There is a whole host of intelligence that is produced every day about the latest threats and vulnerabilities. This information can be easy to get lost in. Often CTI teams focus on the stuff that is making the headlines rather than what is relevant to their organization.
For instance, if a new CVE is causing havoc for business worldwide but is irrelevant to yours, there is no point in searching for its Indicators of Compromise (IOCs). If a prominent threat actor is targeting companies based in Asia and you operate exclusively in Europe, you probably don’t need to perform threat hunts looking for this threat actor’s tactics/techniques/procedures (TTPs).
Just like if you go to KFC, you are probably looking for fried chicken rather than a salad. Good intelligence is what your organization wants (or needs to) ingest. It is the vulnerabilities related to your software and the threat actors targeting your business, sector, or country.
If you focus on what is not relevant to your organization, you will have far too much intelligence to deal with and you will end up wasting precious resources.
Good Threat Intelligence is Timely
Is it worthwhile threat hunting for IOC that was reported six months ago? Probably not. In fact, with the limited resources your CTI team has, it’s perhaps detrimental because you’re not focusing on the threats affecting you today!
The timeliness of the IOCs and TTPs your CTI team hunts for is crucial. You need to focus on the current and emerging threats that your organization is facing. Let the traditional security products (firewalls, AV, EDR, etc.) focus on IOCs and TTPs from the past. They are designed to do that. As a CTI program, you must be up-to-date and proactively searching for the latest threats.
This is on more than just the operational and tactical level. The timeliness of the strategic intelligence your team ingests needs to be current. It needs to provide a high-level overview of the latest threats and trends. Be it new threat actors, malware strains that are becoming popular, or ransomware campaigns that are expanding their capabilities.
If you go to KFC, you want your meal prepared and delivered fast. Timeliness is key to having a good experience. If you want your cyber threat intelligence to be good, you need it to relate to the latest threats. Timeliness is key to protecting your organization.
Good Threat Intelligence is Actionable
If you go to KFC, you want a piece of fried chicken you can eat. If you ingest threat intelligence, you need to be able to turn this intelligence into something actionable.
Operational and tactical intelligence is made actionable by turning the IOCs, TTPs, and CVEs into threat hunting queries. You look for this intelligence in your environment to uncover potential attacks or vulnerabilities. Strategic intelligence is made actionable by creating policies and procedures, allocating resources, and investing in security technologies that address the current trends in the threat landscape.
If your intelligence cannot be turned into an actionable item, it is bad intelligence.
How to Avoid Bad Threat Intelligence
So how can you avoid ingesting bad threat intelligence into your CTI program? Two main sources lead to bad intelligence being ingested; an incompetent manager and the use of outdated tools.
Incompetent Manager
An incompetent Chief Information Security Office (CISO), or head of CTI, may be unable to define clear objectives for the organization’s CTI program. This can lead to bad intelligence creeping in as the CTI team does not know what specific intelligence sources to ingest and how to use this intelligence to solve security problems. A clear consensus on the ingestion process is vital to eliminate bad threat intelligence.
In addition, if the manager uses the wrong metrics to measure the performance of the organization’s CTI program, bad intelligence can emerge:
- If the team is too focused on eliminating false positives, they may negate the timeliness of the intelligence and only focus on what will generate true positives.
- If the team is too focused on ingesting as much intelligence as possible, they may negate the relevancy of that intelligence and just ingest everything.
- If the team is too focused on presenting the intelligence they find, they may neglect making the intelligence actionable and not solve actual security problems with it. They will regurgitate what they see.
A CTI program must have a clear focus on what it wants to achieve and how its effectiveness will be measured. Objective and metric settings are imperative to ensuring good intelligence is consumed.
Outdated Tools
The ingestion of cyber threat intelligence is made possible through tools. In regards to intelligence, these tools are usually known as Threat Intelligence Platforms (TIP). They collate, analyze, and distribute threat intelligence to their users to save them the time, resources, and energy of doing this work manually.
Be it open-source or proprietary TIPs. These threat intelligence tools are vital for efficiently ingesting intelligence. However, not all TIPs are created equal.
If your organization is relying on an outdated TIP or has not properly configured its TIP, you may be ingesting intelligence that is outdated or not relevant to your organization. This leads to bad intelligence being ingested and the effectiveness of your CTI program becoming degraded.
You can learn more about TIPs in this article on 5 Reasons Why a Threat Intelligence Platform Will Improve Your Business
Conclusion
Good cyber threat intelligence is relevant, timely, and actionable. These qualities allow the CTI team to proactively defend an organization against the latest threats. To ensure bad intelligence is not ingested, clear objectives and thoughtful performance metrics must be put in place by the head of the CTI program or the CISO.
Bad intelligence wastes resources and fails to improve your organization’s security posture. Good intelligence allows you to combat new and emerging threats efficiently. When thinking of how to ingest good intelligence, think of how you want your KFC order:
- Relevant (what you ordered)
- Timely (fast)
- Actionable (edible).
