Posted in:

Threat Intelligence: share and survive

Effective enterprise Threat Intelligence programmes must make information sharing – at all levels of an organisation – a top priority for full-function cyber defence strategies, says Digital Shadows’ Isidoros Monogioudis.

CSEurope - Threat Intelligence: share and survive

As they acquire greater levels of responsibility for the cyber governance of the organisations they run, cyber-savvy senior executives can not only have oversight of their enterprises’ security operations’ Threat Intelligence (TI) activities, but also direct input into them. This is because there are points of intersection between business intelligence and cyber threat intelligence – points that cyber experts won’t see, but the business-minded will.

TI is based on the collection of intelligence using open source intelligence (‘OSINT’), social media intelligence (‘SOCMINT’), human intelligence (‘HUMINT’), technical intelligence or intelligence from the Deep Web and the Dark Web. TI’s main objective is to research and analyse trends and technical developments in key threat are, as such as cyber crime, cyber espionage, and hacktivism.

By definition, executives in both public and private sector entities deal with business risk – but it’s not always easy to ascertain it fully. The market for assessing some elements of business risk is relatively mature. For example, most firms will build-in redundancy to data centre operations and/or back-up data the cloud. However, digital risk, and particularly that which manifests from outside an organisation‘s traditional boundary, is less understood and is a critical missing part of a company‘s overall risk profile.

As organisations become more digitally-interconnected to their supply chain, customers, and partners, new types of risk have emerged. Unmanaged, these can lead to the loss of sensitive corporate data, violation of privacy laws, and damaged reputations. When surveyed by the Ponemon Institute for its Bridging the Digital Transformation Divide report (2018), 72% of leaders agreed that the rush to digital transformation increases data breach and cyber security risks, and 65% agreed that the digital economy significantly increases the risk to intellectual property.

These risks can directly impact business leaders. In North America, some 32% of breaches lead to a c-level leader, manager, or president losing their job, the report’s findings indicated. While 77% of business leaders understand the need to manage digital risk, they face a sizeable challenge to understand the impact of digitisation and create a coherent approach to protect against digital risks.

Given the high importance to business leadership, how should senior executives work with security teams to assess overall cyber threats to their business?

First the burden to manage digital risks should not fall on a single department, and these new challenges extend beyond the purview of the security team. In an increasingly stringently regulated commercial environment, attempts to manage risk without involving legal, fraud, and compliance teams will not provide an understanding of business risk. However, by the same token, these teams do not necessarily have the skills and resources to monitor overall risk effectively and to communicate it to the board.

There are several approaches to blur the lines between departments and remove these operational ‘silos’. First, Integrated Risk Management (IRM) seeks to combine security risk and business risk. In this digital era, digital risk is a key component of Integrated Risk Management. Additionally, McKinsey & Company has outlined a framework for greater interaction between different c-level roles.

The proposed ‘strategic security partnership’ is a framework for CISOs, CIOs, and CROs to work together and move to a collaborative, enterprise-wide approach to risk. By doing so, silos are broken down, friction is reduced, and risk becomes embedded in the CISO’s threat management programme.

It’s critical that senior executives provide the proper guidance and missing context for intelligence data that is not initially defined. Senior executives should, therefore, be part of the intelligence lifecycle process. Especially when it comes to critical threats, their impact evaluation and business continuity plan should reflect the importance of their engagement.

They must use tooling coming from risk management; and they should also improve the efficiency of this process with crisis management exercises simulating the threats and the associated impact. Exercises should be conducted in order to improve their decision-making process and efficacy during stressed conditions. Other intelligence data coming from closed sources (i.e., business/executive-oriented) should also be evaluated and integrated very carefully.

In the right circumstances, an effective cyber security team will understand most of the generic threats their business faces. However, there are some – potentially the most damaging to their organisation – which are more specific. These require close interaction between leadership and security teams. It is here that senior executives can take the lead on understanding what it considers to be their critical assets.

This will vary from organisation to organisation. For a technology or pharmaceutical company, it might be their patents and intellectual property. For a retail company, it may be upcoming product names and their customer websites. For an investment bank, it might be a pending merger or acquisition. Exposure of these assets often leads to business risks, such as loss of revenue, reputation or competitive advantage.

Adversaries will make use of this online exposure; using exposed credentials to conduct account takeovers, leverage intellectual property to conduct corporate espionage, impersonating brands to launch phishing attacks, and exploit vulnerabilities in external infrastructures. Organisations must, perforce, think about the type of sensitive data they hold, and how this might be appealing to a range of threat actors. From there, organisations can think about the ways adversaries might access this information, and where they might be exposed.

This is not, however, a static exercise. It is vital that leadership teams keep their security counterparts up-to-date on the information that must be protected. By the same token, what can be done/is being done to share TI between European businesses (i.e., encouraging more organisations with vertical sectors to join forces to share knowledge on a structured basis), and what needs to be done to make this more effective as a line of cyber defence.

TI sharing is a vital element in cyber defence. However, it is difficult to achieve, and trust issues remain despite huge efforts. Initiatives typically flounder on what information specific information to share. Security risks and breaches can be embarrassing as well as linked to sensitive market or brand information that could damage reputation and credibility. This, in part, explains an understandable reluctance on the parts of many to publicise incidents further.

Information sharing frameworks call for cultural change

Next, there comes the question of how we can improve this. Part of the solution – especially for business and the broader private sector is an organisation or entity that could assist in sharing by filtering sensitive data. The UK National Cyber Security Centre (NCSC) runs the Cyber Security Information Sharing Partnership (CiSP). This is a joint industry and government initiative that was set up to exchange cyber threat information in real time, ‘in a secure, confidential and dynamic environment’.

In doing so the CiSP aims to increase engagement with industry and government counterparts in a secure environment and provide early warning of a range of cyber threats. It also opens the ability for organisations to learn from each other’s successes and mistakes. Furthermore, CiSP provides a useful framework; but it is only as good as the organisations which contribute to it. Greater engagement across the board will improve its usefulness as we enter the 2020s and confront the next-generation of cyber threats.

There’s also a newer equivalent to CiSP for information exchange known as MISP. This is an open source TI platform. It’s geared toward gathering, sharing, storing and correlating ‘Indicators of Compromise’ of targeted attacks, TI, financial fraud information, vulnerability information, and also even some counterterrorism information. Increasingly used by organisations worldwide (6,000+ to date), MISP is also highly regarded within NATO states.

There are other initiatives well worth a mention, where the sharing of information between competitive organisations has been beneficial. Insurance companies that operate within the UK share information on suspected fraudsters via the Insurance Fraud Bureau (IFB). As well as day-to-day fraud prevention, the IFB can also become involved with the disruption of organised crime networks. It will also co-ordinate action on behalf of the industry – and that includes potential enforcement action.

Although arguably not as advanced as the insurance sector, Europe’s banks similarly share certain key information with credit ratings agencies to help mitigate their risk and that of customers.

C-suite and board-level executives who see tangible value in information sharing should know that it requires cultural and organisational change. To go about doing so requires training to identify what information needs to be shared, in order to improve cyber security across the entire sector. Certain threats such as those relating to impersonation, fraud and extortion, can provide useful information for risk mitigation to the wider business community, and competitive concerns about sharing it should be set aside.

The strategic implementation of information sharing frameworks that provide the right context and the required structure, can also help. The STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications are established for that purpose, and greatly assist in automating the delivery of cyber threat information. Both STIX and TAXII are well regarded, and backed by an active community of developers and security analysts.

Organisational leaders should also give due consideration to the MITRE ATT&CK knowledgebase to better understand the tactics techniques and procedures of cyber threat actors. MITRE is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Use of it can help with the development of specific threat models and methodologies across vertical sectors.

Frameworks and co-ordination entities are a significant step forward. However, understanding the context of certain threats remains a limiting factor. Because intelligence sharing is still at a relatively early stage, many organisations either do not know what to share or don’t know what technical or other contextual data need to be added to it or in order to contribute to overall cyber defence improvement. Proper education of what information can or should be shared therefore needs to be integrated into the overall threat intelligence sharing concept. This will ensure that companies will not share potentially sensitive information and will make employees who share information be more confident of what to share, without the fear of exposing risk.

Another sometimes overlooked consideration is the fiscal cost information sharing may have on organisational budgets and overheads. Information sharing should be part of the TI function. As such, there is not additional financial cost or resource overhead. Being part of the process means the associated analysis will always consider and utilise information shared from other sources, and will always have/use the right components and procedures, in order to make their own information shareable with other entities. Common protocol and data structure should be also part of the technical/non-functional requirements. Organisations should also strive to improve the quality of information they can acquire in relation to TI.

As mentioned at the start of this article, this is based on the collection of intelligence using OSINT, SOCMINT, and HUMINT, plus technical intelligence or intelligence from both Deep- and Dark Webs. TI plays a vital role to help organisations understand how threat actors can target their organisation and the methods they use. When the understanding of threat is combined with an organisation’s unwanted exposure, it can limit the opportunities. This approach, known as ‘Digital Risk Protection’, seeks to provide rapid event detection and remediation capabilities so companies can fix issues before bad actors exploit them.