Explaining threat intelligence to executives can be daunting.
Framing the conversation in the tactical, as opposed to the strategic, prevents us from communicating the real value of a good, empowered, sponsored, and staffed threat intelligence program in a way that executives can understand what they’ll get - and say yes.
Management, and business, is all about the choices we make, and the opportunity costs we choose to pay, to maximize scarce resources.
Every thing we choose to do, buy or spend time on is at the expense of all things we could have done instead. Part of management – indeed, perhaps the soul of management as a discipline – is making those choices about the allocation of scarce resources.
To put it in executive terms, the entirety of the threat intelligence value proposition is two statements, and one question:
- The world is full of threats.
- I can’t stop all of them.
- What do I prioritize?
Threat Intelligence helps you answer that question, and prioritize with confidence.
Threat Informed Defense
To make this directly meaningful, your intelligence program must consider your company’s specific situation.
This is only a starting place, but these kinds of activities can assist as you start thinking about threat intelligence in a helpful and constructive manner.
Whomever is sponsoring your company’s Threat Intelligence program should be able to come to you having done some basic homework to provide answers to the following types of questions.
Your industry peers. What attacks have they seen? What types of attacks, and attackers, typically target them?
Your industry topology. Every industry is different, but even within industry sub-groups there can be a maturity or architectural continuum. Where do you sit in this topology, and how does that affect your vulnerability or attractiveness as a target?
Your Tech Stack. This should be a somewhat deeper look at this area, which we presume should be easy for the right people in your company to answer in simple terms:
- Are your endpoints mainly Windows, Mac, or Linux?
- Are your servers and applications on-prem, in a datacenter, in the cloud, or a hybrid?
- Have you moved towards a zero-trust, segmented architecture, or are you relatively flat?
- In other words, if an attacker got into your environment, is the network compartmentalized or do they now have the run of the house?
- Have you got multifactor authentication throughout? What’s your use of SaaS and how have you mitigated third-party and supply-chain risks?
- What is your realistic appraisal of your patching and update regime?
- What systems, servers, IP addresses and domains are publicly accessible? Should they be?
- For example, Dev and QA servers left exposed so engineers can “work remotely” more easily is a common entry point.
- What is the maturity of each of your information technology, engineering, and information security organizations?
- And on what measure is your answer to this question based?
A Threat Intelligence program can be a very small team, or even one person, looking at the answers to all these questions and more. Espcially at the beginning, this should not cost a lot of money – that comes later, once you’ve proved that such a program can add real value.
Now Do The Analysis
Based on the answers to those questions, your company should ask itself some more:
Who, or what threats, am I most likely to face in my environment?
What tools, techniques, and procedures do those threats employ?
What are my defenses to stop, or my controls to detect and minimize, these threats?
Each threat group has its own motivations (ideology, money, geopolitical or economic national advantage, etc.) that will in turn dictate the information, systems and organizations they target.
How many threat groups are out there? Lots.
By way of some high-level and certainly non-comprehensive illustration
U.S. government-funded think tank MITRE, which provides thought leadership around threat intelligence, has cataloged about 120 known threat actor groups. The Thai national CERT has published a good handbook with more than 200.
Criminal gangs target banks and financial services companies, with the goal of theft. Groups sponsored or run by nation-states under sanctions, like several fron North Korea (most famously the Lazarus Group), target cryptocurrency exchanges, crypto-trading firms, and run ransomware schemes, all with the goal of obtaining easy-to-transfer funds.
If you make construction equipment that shows up on social media being used to bulldoze settlements in the Palestinian territories, you may face retaliatory attacks by Iranian nation-state hackers. Their goal may be just to break or burn down whatever they can.
If you store global travel information, you may be the target of Chinese government actors whose goal is to track the movements and itineraries of political activists. Their goal may be to get in, avoid detection and just learn what they want to know, for years if you’ll let them.
Knowing who is most likely to target you, and why, will give you some indication of what they are likely to try to do.
By studying what is known about that adversary and how they try to do what they do, we can begin to return to what is ultimately still a business and management question: “Which things do I spend my finite resources trying to defend against?”
One of course can’t mitigate or eliminate all cyber risk, one can only try to maximize the right defenses with the people, time and dollars one has.
That role, to enable more-informed managerial decision making, is the point of a threat intelligence program.