Actionability Doesn’t Mean I Have to do More Work! 

Actionability Doesn’t Mean I Have to do More Work! 

“Actionability” is something we are starting to hear more and more from industry sales and marketing, but often doesn’t translate into reality for various components of cyber threat intelligence  programs and services. Does your cyber threat intelligence program drive decisions for organizational risk management and reduction of risk? If it doesn’t you’ll want to read this blog post to focus upon what matters most to attain true actionability through cyber threat intelligence.


CTI Actionability


An Optiv client recently said, “Actionability cannot mean that I have to do more work.” This is far too often the case with emergent cyber threat intelligence solutions and services. If cyber threat intelligence is done properly as a recursive process over time, integrated into an enterprise risk management strategy and practices, actionability will hit the mark. Unfortunately, what happens more often is reflective of a lack of focus, resulting in cyber threat intelligence programs being drowned in a global swimming pool of threat information and agents in an increasingly connected global threat landscape.


To be successful in the area of actionability you must approach maturation of your cyber threat intelligence program from a strategic perspective. Do you know where your crown jewels are, how they are protected, and how they are at risk?  Yes, I know, you’ve heard that before, but it’s worthy to say it again and again until the industry starts doing it! With the understanding of what you are protecting as the cornerstone of your risk management practice for the enterprise, the next step is to focus upon how cyber threat intelligence will actionably make a difference. Be sure to involve experienced professionals who have done this type of work to align your cyber threat intelligence practice with business operations.


Let’s make the concept of strategic focus towards goals of a cyber threat intelligence program clear with the examples below:


A Common Flawed Approach to IOCs


A newly formed internal cyber threat intelligence team begins to search for global indicators of compromise (IOCs) as a way to bolster their depth and breadth of visibility into potential threats that their organization may face. They spend many hours collecting, parsing and sorting through various data formats to feed their SIEM. In the end, they are really aggregating global IOCs that impacted the rest of the world which, in statistical reality, will likely not impact their organization from a threat deterrence perspective, but will impact the organization by straining a more than likely already over burdened staff. Strategically this can be part of a mature solution on some level, but will likely not yield highly actionable or valuable results as part of an emergent cyber threat intelligence program.


A More Strategic Approach to IOCs


A company recognizes that when an attack takes place against their business they have a need to get additional IOCs related to that specific malware variant, as well as any other IOCs related to a possible campaign. This cyber threat intelligence team coordinates internally to gain visibility and metrics into emergent attacks as they happen, in real-time, working to then quickly generate or obtain IOCs related to attacks as they occur. They do this in both automated and human intelligence (HUMINT) fashions to maximize timeliness of their input back into their SIEM, IT and incident response teams. IOCs generated from this strategic solution is timely, highly relevant and integrated.


Do you see the difference in the examples above? The more successful approach is aimed at integration and outcomes specific to the organization, defined by intelligence requirements. With a proper strategic approach and focus in place, an organization has the challenge of putting into practice actionability within a cyber threat intelligence program.  


There is an inherent challenge to this that many managers may miss - the lack of a clear definition of what you’re aiming towards when it comes to cyber threat intelligence and actionability. If you take a newly formed cyber threat intelligence team and ask them to all define actionability (try this) you will gain an understanding of how your team diversely approaches the subject and/or gaps that may exist. As an industry we have yet to gain a tangible definition. 


The following components of actionability must exist for success within a cyber threat intelligence program:


  • Timely: If the action isn’t timely it’s often useless or diminished in value. This involves both automated and human-driven intel components. Operations must be efficient for timely actionable output to take place within a cyber threat intelligence program. A lack of timeliness often reflects a lack of clear priorities and challenged operations.
    e.g. A ten-page report on a campaign that impacted an organization, ten days after it happened isn’t nearly as valuable as ten timely IOCs during the time of incident and a five-page paper on TTPs five days later.
  • Outcome Oriented: Great cyber threat intelligence programs move from information and understanding to evaluative thinking and output. From a Bloom’s taxonomy of thinking concept, output from a cyber threat intelligence program is matured through analysis, synthesis, and evaluative processes to mature data from a raw state to evaluated intel. This results in context and actionability. This is far different from output oriented programs that seek to gain perceived value by throwing tons of raw data or aggregated feeds at a client.
    e.g. A list of IOCs, such as IP addresses, given to an incident response team is no different than other ‘information’ they may gain from anti-virus, sandbox and other sources.  Providing context into what the IOCs are about, how endpoints and servers should be managed accordingly, and how IOCs should best be implemented within the entire incident response process is far more consumable for an IR team and IT during a time of crisis. 
  • Relevant: Actions must be relevant to your organization, your specific risk and on a level that is as granular as possible with accurate qualified information. Ensuring that a cyber threat intelligence team has visibility and influence into all areas of an organization is essential to enabling them for success.
    e.g. A long list of possible related IOCs is far less valuable than specific, qualified, accurate evaluated intel which has IOCs specific to a campaign that is attacking an organization.
  • Repeatable: cyber threat intelligence programs are repeatedly successful because of due diligence to their process and desired actionable outcome integrated into business operations. Ad-hoc teams and processes will only have superstar flash in a pan moments which are not sustainable to scale. Mature organizations work the cyber threat intelligence process reactively and strategically, enabling proactive changes towards hardening against threat agents and threats over time.
    e.g. Each time an incident takes place the cyber threat intelligence team is all over it providing real-time support and updates, guidance towards TTPs and attribution and IR actions, and strategic response maturation to proactively position against a repeated threat before it strikes again in the future.


    When you read the above components for success for actionability, an experienced cyber threat intelligence professional quickly realizes that these are all part of an effective cyber threat intelligence program itself. Making sure the pillars of success for your enterprise risk governance matches up with your cyber threat intelligence strategy, and then that of your cyber threat intelligence outcomes (actions) is the essential, three stranded rope that an effective manager shoots for in order to have success. Actionability of a cyber threat intelligence program clearly reflects the effectiveness of the entire cyber threat intelligence program to integrate and improve cyber risk management for an organization. The key to actionability is providing consumers with the ability to action against the intelligence information. And the key to providing that consumer decision advantage is to ensure that cyber threat intelligence strategy is aligned to consumer requirements. 

    Ken Dunham
    Senior Director, Technical Cyber Threat Intelligence
    Ken Dunham has spent 30 years in cybersecurity, consulting in adversarial counterintelligence, forensics, Darknet Special Ops, phishing and hacking schemes, AI/BI, machine learning and threat identification.