Joseph and the Amazing Primary Color CTI Function (Part Two) — Leveraging Primary Source Insight From the Front Lines

The first blog post in this series provided an introduction to primary source intelligence and discussed some of its benefits. This highlighted how primary source insight can be a key driver in ramping up an organization’s security posture.

Despite the clear benefits of primary source intelligence, it should never be seen as an end in itself. This is because it is only ever as effective as a security team’s broader maturity, ability to consume intelligence, and capacity to blend it with other data sources.

This post picks up where we left off, by providing some practical steps on how to operationalize primary source intelligence within a cyber security function.

Establish the Foundations

Before we get too excited about some of those sweet primary source nuggets of insight, it is vital that a CTI team and cyber security function get the relevant foundations in place. Primary source intelligence is a means to an end and should serve a broader goal of providing decision advantage that is relevant to key business challenges.

This means starting with understanding the purpose of intelligence within an organization. There are ultimately many ways that organizations can leverage CTI, ranging from patch prioritization and threat hunting to risk management and strategic decision making. Intelligence functions should therefore understand intelligence use cases, build relationships with relevant internal stakeholders, and help them better understand how intelligence reporting can aid the decision-making process.

Once this clarity of mission has been achieved, an intelligence function should ask what kind of intelligence and sources best serve stakeholder requirements. A robust collection program that is mapped to stakeholder requirements is a key ingredient in producing high-quality and actionable intelligence. The chances are that primary source intelligence can make a significant contribution in solving business challenges, yet it is stakeholder requirements that should always be the driving force.

Integration

Any intelligence source will be more effective when it is fully integrated into a security function’s tools and technology. This could include, for example, directing CTI feeds into threat intelligence platforms (TIPs) and security information and event management (SIEM) systems. However insightful primary source intelligence may be, it has to be presented in a usable and accessible way. Ultimately, if CTI is able to compliment and integrate with existing work flows, it is far more likely to be consumed.

Primary source intelligence derived from CTI vendors will provide organizations with a broad understanding of the threats relevant to them, yet this should always be integrated with a deep knowledge of an organization’s own internal operating environment. By mapping CTI against the infrastructure and assets within an internal network, a security function is able to understand their own exposure. Here, organizations should also ensure that they integrate external intelligence with the primary source data sitting under their own nose (i.e. that gained from within their own network).

A combination of sources becomes more powerful than the sum of their parts. At FireEye, for instance, indicators gleaned from an incident response engagement could then assist our endpoints in detecting additional malicious activity. This could, in turn, provide fresh insight to uncover additional adversary operations via Advanced Practice engagements. This would unearth new context around adversary TTPs, all of which is then fed into our threat intelligence offering. Different CTI sources therefore inform each other, creating powerful multiplier effects.

Adopt an Empirical Approach

The cyber threat landscape is highly complex and there is no shortage of attack vectors. Yet, not all attacker techniques pose a uniform threat to organizations. Most cyber security functions require insight to help them focus and prioritize on what really matters to them. Rather than providing an exhaustive list of all the attack techniques that might pose a threat, a CTI team will always deliver more value through intelligence that can sort through the noise and identify the handful of TTPs that pose the most significant and likely threat. Empirical and data driven analysis sits at the bedrock of this approach. This can be enabled through primary source intelligence.  

COVID-19 provides one example of how the cyber threat landscape can become distorted through secondary reporting. In March 2020, the intense global interest in the pandemic meant there was understandable press interest around how the virus was being leveraged in social engineering campaigns. With so many of these reports published in a short time frame, it would be easy to assume that the vast majority of phishing emails contained COVID-19 lures. Yet, cyber security reporting intended for a mainstream audience will understandably report on what is new and topical. After all, who wants to read about yet another generic phishing email?

Mandiant Threat Intelligence, by contrast, was able to leverage its malicious email detection data to ascertain that COVID-19 content was used in only two percent of malicious emails at the time. This highlights how a more data-driven approach to CTI can untangle tangible threats from broader hype and media headline bias. Ultimately, whilst both cyber security news reporting and intelligence play important functions, they are fundamentally different products developed for different purposes.

The same principles can also be applied to vulnerability intelligence. Patching across an organization running multiple systems and applications can be a mammoth task. This makes prioritization crucial. Yet the mean and ugly vulnerabilities that make their way onto headline news are not necessarily the ones that pose a material threat

Rather than focusing on the most frightening vulnerabilities, organizations are better off adopting a context-driven approach. This prioritizes patching vulnerabilities that are both being actively exploited and affecting relevant geographic and industry verticals. This significantly increases the chances that an organizations’ patching efforts go towards preventing targeted attacks. Again, such context requires expansive telemetry and rich data sets.

In Closing

One does not need to work in the cyber security industry for long before encountering oodles of distraction, hype, and questionable hot takes. Primary source intelligence might not be the cyber security silver bullet for every practitioner wished existed, but there is little doubt that it can provide a healthy and much-needed dose of grounded perspective. This empowers organizations to focus on the threats that really matter.