Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Operationalizing a Cyber Threat Intelligence Solution
Cyber threat intelligence is a process required to make action-oriented, judgement-based decisions that are not otherwise possible. Optiv recommends considering four essential attributes of threat agents mapped back to a security posture, as well as six essentials courses of action, known as threat modeling, in order to properly produce, consume and act upon cyber threat intelligence.
Operationalizing a cyber threat intelligence solution begins with aligning to a risk management strategy. A cyber threat intelligence solution is focused upon identifying high value assets (crown jewels) and the mitigation controls that are in place to detect or prevent attacks. The outcome of this process is enhanced situational awareness mapped back to risk management for an organization. This results in identification of threats to high-value assets, gaps in controls that need to be mitigated and aligned with assigned risk, and the ability to influence policy decisions both within the security organization and aligned to the strategic goals of the business.
To begin, security organizations need to ask these three questions:
This start is known as threat modeling. It is a great way to understand how you can begin security alignment with the business, and should be driven by cyber threat intelligence. Security professionals need to engage with their business stakeholders to understand their most valuable assets from their perspective. For some, these are digital assets, such as sensitive employee data, client lists or intellectual property; for others, these are physical, such as particular office sites in high-risk areas, key executives within the organization or assets that don’t reside full time on corporate property.
Once data is collected, cyber threat intelligence is engaged to determine threat actors or agents that may potentially target sensitive assets and how they would do so. It is necessary for intelligence analysts to keep a repository of relevant threat agents and groups, and the common courses of action they take to meet their goals.
Threat agents are a group of attackers or an individual actor that has the means and opportunity to conduct an attack. It is important to note that threat actors exist regardless of intent. An untrained employee who has access to a critical asset has the same means and opportunity as an internal spy. If there is malicious intent, it is important to understand threat agent means to enable a threat modeler to infer inherent capabilities of the attacker based on historical analysis of kill chain models or the courses of action an attacker may take.
The first step of this process is to categorize and define the types of threat agents that would pose a risk to the organization. Intel Security created a foundational Threat Agent Library that describes 22 types of threat agents and their motivation, such as financial gain, intellectual property theft or business disruption. Once the motivation of the potential threat agent is estimated, you can map out potential courses of action that threat agents take to meet objectives.
Additional analysis of threat agents is then performed to establish considerations that allow for the development of potential courses of action. There are four main attributes the analyst must contemplate:
A threat modeler requires access to intelligence information regarding the above factors. If such intelligence is not available, it is necessary to develop intelligence requirements for the collection and analysis to enable this stage of threat modeling.
Threat agent courses of action can be described as attack patterns or kill chains. Based off historical patterns and agent means and intent, a threat modeler can develop templates for anticipated courses of action that may be taken to meet an attacker’s objective.
For example, a web application developed for a healthcare provider is targeted by a threat agent to obtain sensitive data. We can use the following attack pattern to develop the threat agent’s course of action if their intent is to sell stolen protected health information (PHI). In this case, we will identify the threat agent as a “data miner”:
Figure 1: Web Application Attack Course of Action
A threat modeler repeats this process until all potential courses of action are identified. This will provide a full picture of the threat landscape for the asset and/or maximum gain towards their objectives.
Organizations that utilize a cyber threat intelligence model must rely heavily on analyzing and consuming cyber threat intelligence information with a dedicated decision maker influencing risk management. It is imperative that organizations begin this process by identifying recon and development stages mapped against risk management for their crown jewels. This helps ensure proactive protection, and results in the appropriate steps to minimize damage should an incident occur.
July 29, 2016
Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.
September 08, 2016
At a recent conference for IT leaders, I addressed the theme of, “How much cyber security is enough?” We all probably have had to answer the broad....
Let us know what you need, and we will have an Optiv professional contact you shortly.