Cyber Threat Intelligence – Putting out Fires or Firefighting?

Cyber Threat Intelligence – Putting out Fires or Firefighting?

When it comes to fighting malware, combating nation-state threats, and securing digital assets, the information security industry has much to learn from firefighters. Though we fight online threats, and firefighters fight fires, both roles have reactive and proactive challenges. Optiv strongly advocates that organizations become firefighters: not only responding reactively but also strategically and proactively.


Cyber Threat Intelligence Firefighter


Reactively, we all do our best in the face of global outbreaks like the recent WannaCry ransomware threat. But, we sell ourselves short by “being busy” and moving on to other things once the crisis is over. A post-incident strategic response is mission-critical for any organization that wants to truly learn from their success and areas of opportunity. More importantly it positions the organization for maturity and growth over time like that of a firefighter.


What does a firefighter do during down time, when there isn’t a fire crisis threatening thousands of acres or homes? Below are a few anecdotal examples of how they prepare themselves and their assets for the next crisis and how you can apply that to your cyber threat intelligence risk management practices:


  • Physical training – the best individuals and teams continuously train hard, heal up and work to stay in peak condition for fighting fires.
    • How are you rallying your troops within security and IT? 
    • Is your team morale high or low, and what are you doing about it?
    • Do you have an established incident response plan that includes a well-defined leader and structures for minimizing physical and emotional duress during a crisis?
  • Slash-and-burns and thinning timber – when a fire breaks out, these preventative controls slow the spread of the fire and help it burn less hot.
    • Are your networks documented, segmented and well managed?  
    • What is your plan to minimize damage should an incident take place?
    • Have you adjusted your plan based on the lessons learned from previous crises?
    • Do you have your security defenses mapped against known threat vectors for your organization and a plan to then bolster those over time? For example, do you have a solid endpoint solution in place to help detect and mitigate malware threats beyond what anti-virus can do?
  • Public education – educational programs like Smokey the Bear teach the public about green zones, fire prevention and preparing for fires.
    • Are employees required to attend user-awareness training as it directly relates to a crisis?
    • Do you have analytics and metrics in place for training, risk events and incidents to show how you’re trending to lower overall risk?
  • Infrastructure upgrades – ensure that planes, maps, fuel, and other resources are in place to meet expected demands for the next fire season.
    • Is your risk management plan mapped back against threats and threat agents who may attack your assets?
    • Does your plan enable stakeholders to make prioritized decisions on upgrades, new capabilities and ways to lower risk?


If we only react to information security crises and imminent threats, we are “low hanging fruit” to an attacker. To harden against an attack an organization must make strategic response an ongoing priority, not a one-off response to one crisis that got out of control. After-action reports or strategic “lessons learned” surveys and responses are a must for any organization seeking to mature over time.  


If an organization is mature enough to have a cyber threat intelligence program in place, the need for firefighting is even greater due to the inherent nature of the process. Cyber threat intelligence can only be successful when built on top of and integrated with an enterprise risk management program. This type of strategic integration and operational capability cannot be reactive forcing more mature organizations to dedicate full-time resources to constant tuning, maintenance and development of cyber threat intelligence programs in a post-incident strategic response fashion. Any mature organization with cyber threat intelligence integration is – for sure – performing strategic response functions following the global WannaCry outbreak of 2017.


How does cyber threat intelligence help with security incident prevention, mitigation and response?


  • Have you identified the tools, tactic, and procedures (TTPs) related to an incident or crisis and created appropriate counter-measures?
    • The process of intelligence matures and develops TTPs, patterns and overlays that helps build a defensive infrastructure. Take, for example, the recent WannaCry exploit worm and ransomware threat, which revealed many organizations need an improved patch management program and incident response process. Many also learned their networks are “flat” and highly vulnerable to network-aware threats as well as backups vulnerable to ransomware on that same network. Looking deeply at the technical components and TTPs of an attack are essential within the intelligence process to develop counter-measures – especially when a threat is likely such as eCrime, opportunistic-based attacks like ransomware.
  • Do you have any analytics and trends around the threats and incidents confronting your environment?  
    • If not, how will you know your most likely risks? How will you know what threats are targeting your organization?
    • When making budget decisions how will you know the area of greatest weakness, based upon layers of defense and known attacks? If you can’t see that, you can’t make an informed decision on how to prioritize security spending.
  • Do you have dedicated staff working the process of intelligence related to your threats and security?
    • Maturing an organization’s intelligence capabilities requires having trained intelligence experts in your corner. Security and IT staff are busy making things work as they should. On the other hand, an intelligence analyst constantly looks at risk through the eyes of threats and threat agents. If you don’t have a dedicated function to analyze intelligence and tie those findings back to the defensive infrastructure, then intelligence will not effectively lower risk.
    • Did your incident response and war room plans – if you even have them – work as planned? The process of intelligence will help identify gaps. It also will help build solutions for more timely, relevant, informed and strategic threat response in the future.


When properly positioned, matured and integrated, cyber threat intelligence enables action upon not only tactical threat response practices, but also strategic governance and priorities. Are you reactively putting out fires, or are you a firefighter?  

Ken Dunham
Senior Director, Technical Cyber Threat Intelligence
Ken Dunham has spent 30 years in cybersecurity, consulting in adversarial counterintelligence, forensics, Darknet Special Ops, phishing and hacking schemes, AI/BI, machine learning and threat identification.