The threat intelligence has to come out of its silo

The growth of the threat intelligence market reflects the need for companies to be educated about the threats they face, to be able to anticipate attacks by using their protective tools, but also to help analysts and experts help the incident response team, when an attack occurs.

Continuation of the article below

Organizations set up threat intelligence teams or turn to specialist service providers who consolidate data from forums, specialist blogs, and the deep web to alert security teams of emerging threats. A recent survey conducted by the SANS Institute on the subject of “Cyber ​​Threat Intelligence (CTI)” shows that the proportion of companies that have set up processes to collect this data has increased from 13% in 2019 to 44% this year is. Government services, followed by banking and finance, and cybersecurity providers are obviously the most advanced on this issue. However, the need is just as important in companies in other areas of activity or even in smaller companies.

Threat Intelligence, an increasingly mature discipline

During a round table hosted by ThreatQuotient this summer, Jonathan Couch, the editor’s senior vice president of strategy, pointed out that more and more organizations have teams devoted to this area. Previously, analysts from the Operational Security Center (SOC) were often responsible for this monitoring. Specializations within SOCs and in cybersecurity services are becoming more precise, and the “One Man Army” approach – this analyst masters everything from start to finish in the SOC – is giving way to more defined roles.

If all organizations cannot set up such a unit, Jonathan Couch must appoint at least one speaker on the subject: “Small security teams that cannot deploy a person to handle threat intelligence can count on an MSSP partner. They still need to make sure they Get the right information to alert management or other teams in the event of a detected threat. You need to have at least one person whose primary role it is. And if that really isn’t possible, someone who has background information to be SOC analysts help go through the warnings. ”

The same analysis by Zeina Zakhour, Global CTO for cybersecurity at Atos: “If a company cannot use a resource solely for threat intelligence, a person needs to be assigned to gather information and bring the relevant data together. Without this, an enterprise threat intelligence initiative cannot last. “

One option mentioned by Mo Cashman, director of enterprise architecture at McAfee, is to appoint someone within the SOC to interface with the service provider’s CTI. For the expert, companies must have end-to-end processes that range from the collection of information and its processing to its use.
“From my experience with customers, you have to think vertically: which threats affect me as a company, which technologies will the attackers implement and which sensors must be used to counteract them.” any of these techniques, ”he says.

“You need to understand the target, but also the real uses of this threat intelligence. »Zeina ZakhourGlobal CTO of Cybersecurity, Atos

In addition to the tool component, Zeina Zakhour explains how important it is to clearly define the goals pursued by the company in its approach to threat intelligence: “The first thing we do with our customers is to define the goals of this threat intelligence. You need to understand the target, but also the real uses of this threat intelligence. The survey methods differ depending on whether it is an operational project and whether the data must be used directly by automated processes. It is very different from strategic threat intelligence, which is more intended for CxO and which is about identifying the attackers and defining a profile. “

The sources of information, but also the type of data collected, differ depending on who will be the consumer of this information. “A security architect wants to make sure that the technologies their company provides can adapt to threats. He will therefore need very technical information, ”emphasizes Mo Cashman.
“An incident response analyst needs to prioritize their investigations. Is that a classic incident? Is it possibly linked to an APT? Is it an attack technique associated with a known group? These answers directly affect the priority he will give his answer. For their part, the governments want a more strategic perspective. “

Threat intelligence has to break the silos

Ryan Trost, CTO and co-founder of ThreatQuotient and SOC manager of the US military industry group General Dynamics, explains: “In SOC it means that you have to be able to attribute an attack to the right opponent. For information of the type However, collecting “executive” also requires technical data to be shared between the Threat Intel teams and SOC analysts, especially those responsible for responding to incidents. At General Dynamics, we had analysts, but also signature engineers who work with the threat intelligence team. Of course, analysts value resource protection, while Intel threat specialists tend to use a predictive approach. It’s interesting to see how these two profiles work together. “

“In addition, technical data needs to be shared between the Threat Intel teams and the SOC analysts, particularly those who need to respond to incidents. Ryan TrostCTO Co-Founder, ThreatQuotient

While 90% of the attacks on the gun manufacturer came from spear phishing campaigns, victimology staff were dedicated to identifying the attackers’ targets within the company. A good knowledge of the opponent’s methods made it possible to train the staff so that these potential targets would be more vigilant to the emails received.

But there is more, and the information gathered by a CTI cell needs to circulate better in the company. This is clearly the position Zeina Zakhour is defending today: “We have to break the silos! A threat intelligence team must be able to communicate with development teams, IT management, the incident response team, and so on. All of these exchanges must now be performed faster and more effectively to facilitate the consumption of ITCs. “

An example of this need to expand the audience of threat intelligence, the movement towards DevSecOps, and the need for DevOps teams to rely on this threat intelligence to shield their code. Jonathan Couch gets right to the point: “Working together is key. Threat Intelligence is able to generate collaboration between teams, between SOC and incident response team, red team and DevOps teams. Threat intelligence is an issue where all of these teams work together on their cybersecurity expectations, what they need, or what they want to fix. “

“If we want to achieve better detection and response, we need to break down the silos. “Mo CashmanDirector, Corporate Architect, McAfee

And Mo Cashman added, “If we are to have better detection and response, we have to break the silos. If the incident response team does not communicate well with the network team or the application teams, the minimum response time is high. Threat intelligence touches many aspects of cybersecurity and can do great things to improve that collaboration. “

Anyone who says shared threat intelligence is saying trust

The faster and more extensive exchange of this security information within the company directly raises the question of the trust and importance it should be given. “Every piece of data, whether it’s internally collected or industry-specific, is assigned a trust rating,” says Zeina Zakhour.
“We can do it manually, but we now have the tools to partially automate this task. If information is found on Twitter or the deep web, the data must be analyzed and given a score so that the CTI expert feeds it into the system. This value allows us to define what we can do with this information. “

“This notion of a trust factor is critical because nothing is absolute, nothing in cybersecurity is 100% good or 100% bad. “Mo Cashman McAfee

Adds Mo Cashman, “This notion of trust score is capital because nothing is absolute, nothing in cybersecurity is 100% good or 100% bad. The company using this threat intelligence data needs to have trust in its suppliers. Based on this information, companies can be asked to make strategic decisions. This trust factor is very important and it is human analysis of the elements that makes it possible to build that trust. “

To facilitate the sharing of threat intelligence data between teams, subject matter experts must continue to work on the taxonomy component so that everyone who needs to use this security intelligence speaks the same language.

Another development in the discipline is the emergence of “Actionable Threat Intelligence”, a concept defended by Zeina Zakhour: “Every element of the cycle“ Predict / Prevent / Recognize / React ”must be implementable. We need to move towards actionable threat intelligence as automation is essential for us as MSSPs. And it’s a key part of how we do business, making it easier, prioritizing work, and enabling threat hunters, incident responders, and SOC analysts to act quickly. Ultimately, threat intelligence must make it possible to improve incident response times, ”concludes Atos Cybersecurity CTO.