The Need for Augmented Intelligence

Cyber threat intelligence can be a lot harder than you think. As a regular speaker at various conferences, I’m constantly asked the question about how to get started in the world of cyber threat intelligence. The answer lies in assessing your own maturity and readiness before you consider cyber threat intelligence.

What is the current maturity of your IT and security programs?

There is no international adopted standard for maturity, so it can be hard to gauge. In my mind I see ad-hoc, managed and optimized maturity levels of an organization. I also see that within various compartments, such as IT (making stuff work), security (is it working the way it should?), auditing (GRC), etc. Before taking on your own cyber threat intelligence program, augmented or internal, at the very least you need: managed levels of maturity across the organization, an enterprise risk management strategy, leadership support, and staff to properly ingest and integrate cyber threat intelligence. 

What are your specific goals and outcomes of a cyber threat intelligence program?

Do you need to see if you have a DLP or insider risk issue? Do you want to bolster and integrate cyber threat intelligence across the board wherever it makes sense to do so? Are you trying to improve your own internal incident response? Is your goal to meet regulatory and compliance-based standards? Cyber threat intelligence should ideally be built on top of an already mature security organization which means you must already have some DLP, operations, IR and GRC components managed and ready to be matured through the addition of cyber threat intelligence (as anecdotal examples of this challenge). Look at who is responsible for what, the training required, policies and procedures, and technology.

What is your roadmap for cyber threat intelligence maturation over time?

Too often an organization is reasonably mature and decides to attempt cyber threat intelligence. However, they do this with just one specific immediate action in mind, such as global aggregation of indicators of compromise (IOCs) and enrichment of threat data with a small team of IT or security folks to manage this new information. A roadmap involves looking at stopping the bleeding (if any exists), and immediate and long-term milestones for success. Think big, but make it real, like mapping out each primary process related to your cyber threat intelligence integration and how you’ll achieve it. For example, your incident response function: how can you use cyber threat intelligence to improve policies, procedures, effectiveness, and actions taken before, during and after an incident? Instead of simply going after IOCs and enrichment, you should create milestones. These include proactively incorporating a strategic response plan, using forensics to understand threats and TTPs, and researching actors or campaigns that pose the highest risk to your organization.

You can’t do it all.

You only know what you know. If you try to do all the work yourself and don’t have any augmented intelligence feeds, staff or support, you won’t be nearly as effective as those who leverage such opportunities. For example, a simple MD5 cryptographic hash checksum value query on a file in question for IR. If you perform that on your own you may only discover 25 percent of what is known about that file in that context. If you have augmented services through various sandboxes, AV or other services, you may learn more. If you work with a cyber threat intelligence provider that specializes in that type of research and response, you’ll certainly have more information and potential cyber threat intelligence-based actions than if you simply do the work on your own. It takes an experienced cyber threat intelligence expert to help guide your organization on your exact needs for desired outcomes to ensure you have the right approach and solutions in place as you look to mature your cyber threat intelligence capabilities.

How will you hire experienced cyber threat intelligence staff when few exist?

The real kick with any cyber threat intelligence program today is the lack of experienced and available cyber threat intelligence experts in the field. There is a massive shortage of security experts, even more so within the cyber threat intelligence field itself. That gap will become exponentially larger as companies seek to create emergent cyber threat intelligence programs, looking to hire any talent available, affordable and willing to move to where the business is located. Companies must prioritize resources to pay for such valued and limited staffing opportunities and offer other benefits such as flexible work from home options with minimal travel. Even then there are far too few experienced experts in the industry which will force the majority of companies to acquire consultants or augmented intelligence.

Before you move to automation it is key that you identify and mature current augmented intelligence operations, policies and procedures. Only then are you ready to begin automation where the largest return on investment lies for your specific operational needs. Long term, it is wise to seek advisory consultation internally and externally as you start to automate to ensure you are building upon the right foundation. After developing requirements, build and test in a mirrored fashion to ensure automation works with integrity before fully embracing new intelligence solutions. Following these types of best practices can dramatically improve your efficiency and effectiveness as you mature your intelligence program.