How is actionability achieved leveraging your blue team operations within IT, security teams, and CTI? HINT: It’s not a tool!
CTI “Actionability” is a marketing buzzword used all too often, without any quantification or achieving that in production, even with some of the shiniest new tools in the market. How does one – achieve – actionability within CTI?
What is CTI?
The “Definitive Guide to Cyber Threat Intelligence” (Jon Friedman, Mark Bouchard, 2015) defines CTI as:
“Cyber threat intelligence is knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise.”
“Actionability” is popular because we all know we need to do something with a threat, but exactly what? If you are to ask what someone means by CTI actionability you’ll likely receive diverse and incomplete answers.
To be fair to those with incomplete answers to the question of actionability, CTI is a complex subject! The author sees information technology (IT) as a foundation for block and tackle operations within an organization, with security as a layer built into and on top of IT. Intelligence is yet another overlay on top of that which must integrate into the business for success.
Actionability, within CTI, is where context exists to make a specific decision or task, made by specific individuals with known documented processes and roles. It must occur with structure, speed, accuracy, and clear decision making for incidents and breach and busy day to day operations. Without a proper responsible, accountable, consulted, and informed (RACI) structure tied back to specific processes and decisions (e.g. when to emergency patch based upon risk levels) organizations struggle in a crisis. All too often this context and structure does not exist resulting in ad hoc reactionary decisions made within immature operations.
How Mature are your CTI Operations?
Look at two core areas of CTI operations to begin identification of maturity for CTI within the organization:
· CTI Operations
The entire lifecycle of CTI begins with defining requirements and collections and continues through reporting. This is how your CTI team functions and where they prioritize and focus as a team.
· CTI Risk-Based Integration
Effective CTI integration occurs within multiple business units (BUs) for tactical, operational, and strategic support of those business units. This integration must be risk-based to maximize residual risk reduction to an organization.
Common BUs that work closely with CTI include, but are not limited to, the executive suite for strategic decisions and breach support, Threat and Vulnerability Management (TVM) for prioritization and identification of critical vulnerabilities for risk to the organization, Incident Response (IR) for support of IR operations, and support of IT overall as it relates to reducing attack surface risk and specific threats.
Are Operations Risk-Based?
All too often an organization relies upon the Common Vulnerability Scoring System (CVSS) by First.org), to prioritize vulnerabilities and threats to an organization. This is scoring system is severity-based and often only represents the “base” score of a vulnerability itself. It does not encompass the total risk related to how policies and procedures exist, are enforced, configurations are managed, change controls, and more.
Risk-based CTI operations operate from clearly defined organizational goals in a risk mission and set of prioritized statements, such as ensuring no downtime in operations, loss of client information, or loss of specific intellectual property (IP) critical to the organization. CTI operations define intelligence requirements, actions, conditions, and criteria in operations to champion these risk outcomes for success.
How is Actionability Achieved within CTI?
Actionability is dependent upon measurable actions for how CTI is achieved and integrated. If you can’t measure success, how will you know when you are successful? More importantly, how do leaders and executives know, appreciate, and celebrate the success of the CTI team?
Exactly how Key Performance Indicators (KPIs) are defined and made specific to areas of CTI operations and integration are key to success. Ensure metrics exist to support each KPI, including diagnostic metrics where you can identify trends, patterns, and areas to celebrate or champion needs.
Ensure you are mapping people, process, and technology to specific CTI actions, integration, and outcomes. For example, CTI operations can be measured in part by metrics and KPIs related to processing of actor groups, tools, tactics, and procedures (TTPs), and IoC counts along with report types disseminated over a certain period. Keep in mind, this is only part of the picture as you must also then measure how CTI makes a difference (or not) in other BUs, such as within IR where you may track the number of incidents involving CTI, and CTI outcomes achieved which lowered risk because of that. Within IR, that may look like tracking Indicators of Compromise (IoC) provided by CTI to fully identify a threat and related threats, or campaign (IoCs), advisory for IR related to threat vectors and threat identification or success thereof, and so forth.
As an initial top-down approach, self-evaluate amongst leaders on how effective you think CTI is and what are the expectations. To be successful in managing risk, initiate the risk-based discussions required of CTI and the company.
Employ an expert third party to baseline operations, identify gaps, and create a roadmap focused upon tactical, operational, and strategic needs of the organization. Select one area of integration, ideally IR or TVM, where the greatest return on investment may be gained in the immediate near term, to enhance an important but smaller area of CTI measurability, integration, and outcome.
After successfully achieving this maturity uplift follow your CTI risk roadmap for maturity to take on larger uplifts and needs within the CTI program.