Cyber Threat Intelligence

Quick Description of Cyber Threat Intelligence

Cyber threat intelligence provides organizations with an understanding of the "bad guys" when protecting their assets. Cyber threat intelligence, as defined by the Center for Internet Security, is "what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information" (Center for Internet Security, n.d.). Just as an organization has business and competitive intelligence to run and succeed, cyber threat intelligence is used to ensure that success continues and is not influenced by outside parties. Organizations need to understand the intelligence that matters to them, enrich it with other information and intelligence within their environment, and apply it in a manner that is effective yet unobtrusive to daily operations. Below, we will talk more about a cyber threat intelligence plan I created based on my knowledge within previous roles. We'll abstract key concepts around the cyber intelligence plan and why they are essential to the success of an organization.

The Cyber Threat Intelligence Plan

A cyber threat intelligence plan (CTIP) provides an organization with the information they need to protect itself from current and future cyber threats directed at them. Cyber threat intelligence helps security teams better guide their enforcement points and ensure visibility is available in key areas to ensure the effective protection of assets from threat actors. Below we will break down and discuss the sections of the CTIP I created for my final project.

Start with the Threat Landscape

In building an effective CTIP, you need to have an understanding of the threat landscape that you are protecting your organization against. This includes cyber, business, and competitive threats to your organization. In the case of a K12 school district, I looked at threats that would affect the daily operations of student learning, the privacy of student and staff data, and the ability of the school district to grow its enrollment year of year.

Cyber and Business Continuity Threats

A good CTIP provides data relevant to the business and from trusted sources. In regards to K12 school districts, one of those trusted sources is the K12 Security Information Exchange (https://www.k12six.org). In 2020 they provided a State of K12 Cybersecurity (https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf) document which breaks down some of the key areas of attacks against K12 districts. With the start of the pandemic in 2020, many of the attacks against K12 school districts looked to take advantage of weak security postures and leak data or were to try to interrupt student learning. Figure 1 below shows the various types of cyber incident types.

Figure 1

K-12 Cyber Incident Types 2020 - from https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf

Understanding these threat vectors has allowed K12 school districts to look at security controls that combat attacks such as Denial of Service attacks. Prior to the pandemic, when classes were primarily run onsite, the reliance on local curriculum delivery allowed natural prevention against DoS attacks. However, with the pandemic driving remote learning DoS attacks were more effective in preventing access to curriculum hosted in a central location. Cyber professionals in K12 made a shift for curriculum on content delivery networks or other cloud-based systems which provided built-in resilience against these kinds of attacks.

Competitive Threats

Many may think that understanding competitive threats in a K12 is odd and may not truly understand what a competitor looks like from a K12 perspective. A cyber professional is also a business professional, understanding the ins and outs of the business, what makes it run, and most importantly what makes it successful. In the case of K12s, the biggest competitor is other districts or online learning options. Since school districts get a majority of their funding from student enrollment, any impact on that enrollment can cause a financial impact on the district. While creating a secure learning environment to drive trust is important for a cyber professional, it's also as important to understand what other districts are doing to drive successful delivery of curriculum and drive higher graduation rates of their students.

A focus on Threat Intelligence

After we understand the threats to our business, it's important to build out the key providers of intelligence within the organization and identify how they are utilized. This can take many forms. Business and competitive intelligence is usually driven internally with key stakeholders taking ownership of the intelligence they provide back to the business. This information is often one of the assets you also want to protect from a cyber aspect as well.

When it comes to cyber threat intelligence, many organizations rely on non-profit, government-sponsored entities to help them keep up with the evergrowing threat landscape. An organization trying to build out a threat intelligence database on its own is surely destined to fail as its lack of visibility into the global landscape would leave them at risk. Think about this, in the span of 3 months, the Palo Alto Networks DNS Security subscription protected against 1.7 billion malicious domains, 150 million domain generating algorithms, and 38 million DNS tunnels (source: https://www.paloaltonetworks.com/network-security/dns-security). This information is a collection of the threat intelligence provided by their own products as well as enhanced by being members of the Cyber Threat Alliance (https://www.cyberthreatalliance.org/) and a key partner in the MS-ISAC (https://www.cisecurity.org/ms-isac). Any singular organization would struggle to have that amount of information by itself.

Partnerships are the key force multiplier in being successful in implementing cyber threat intelligence in an organization. As cyber security professionals, it's important for us to understand the partnerships that are going to benefit us the most and provide us with the highest fidelity data that matters the most to our organizations. Many Information Sharing and Analysis Centers (ISACs) and other organizations exist to help with this information and intelligence sharing. The CTIP should call out the threat intelligence created by the organization as well as by partners and how it's applied today.

Where to next?

Finally, a CTIP should provide a clear understanding and guidance on where enhancements need to be made to keep cyber threat intelligence up to date. Identifying areas where there is success, as well as areas where there are needs for improvement, allows for an organization to mature its cyber threat intelligence posture over time. Within my report, I was able to call out the success of the implementation of cyber threat intelligence within the security controls that existed today. Many of this information was automatically updated and implemented in those controls. However, as advanced persistent threats become more complicated and attack the network, endpoint, and cloud assets, the sharing of that data across those domains was done independently without knowledge of its effectiveness across domains. One of the callouts I focused on for an area of improvement within my organization was to build out more automation around threat intel usage between domains and ensure that areas that are being hit in one domain are strongly enforced in others. This helps protect against cross-domain attack vectors as attacks persist.

It's also important to understand the impact of cyber threat intelligence on the business and what the cost might be without or with its use. In my paper, I built out an example of current costs to respond to high/critical severity threats. Many were autodetected and blocked, however, enhancement on the alerts utilized man-hours. As a professional within the business, it's important to understand if utilizing manpower is more effective than possibly buying and automating a solution. Table 1 shows an example of this cost breakdown.

Table 1

Current Cost of High/Critical Detected Alerts - Example

Utilizing this information, its beneficial for a cyber security professional to consider if there are technologies or automations that can be implemented into the environment to address these alerts more effectively. We wrap up the CTIP with recommendations on next steps, identify possible areas for continuous improvements, and also work on areas where cyber threat intelligence can be further utilized in an organization to help better protect it's assets.

Reflection

This course was one of my favorites as it helped formalize on-the-job knowledge that I've been using for many years. For most of my professional life, I've been implementing cyber threat intelligence in the protection of assets for the organizations I've worked for. More often than not, it was done without any official plan or guidance other than "this is what others are doing". Having a new understanding of structured methods of identifying and addressing adversaries, building out competitive intelligence, understanding how competitors affect my business, or most importantly having a Cyber Threat Intelligence plan to apply to an organization helps me understand how I need to grow professionally. As a cyber security professional having an effective cyber threat intelligence plan that can be implemented in your environment is one of the strongest ways to protect yourself from modern-day threats.

Ethically, it's important to understand that no one can truly protect themselves from the modern threat landscape by themselves. As cyber security professionals, we have the responsibility to ensure that we are providing our organization with the best security posture possible, including protection against today's modern threats. Doing this without the partnerships of various agencies and technologies will result in a security posture that is bound to lag behind.

I chose to focus on the Cyber Threat Intelligence plan for this eportfolio page as it is one of the most impactful formalizations of my previous knowledge that I pulled from this course. As called out above, the key aspects of understanding how to effectively use cyber threat intelligence within an organization can make a huge impact on the cyber security posture of an organization. Also, tying business and competitive intelligence into cyber threat intelligence helps me better understand the assets I'm trying to protect and enrich the cyber threat intelligence data to ensure I'm effectively applying it in my organization.

References

Center for Internet Security. (n.d.). CIS Critical Security Controls Navigator. Center for Internet Security. Retrieved April 2, 2022, from https://www.cisecurity.org/controls/cis-controls-navigator/

Center for Internet Security. (n.d.). MS-ISAC. Center for Internet Security. Retrieved April 2, 2022, from https://www.cisecurity.org/ms-isac

Forrester Consulting. (2021, February 3). Maximize Your Security ROI: 2021 Forrester Consulting TEI Study. Palo Alto Networks. Retrieved April 2, 2022, from https://www.paloaltonetworks.com/blog/network-security/maximize-your-security-roi-forrester-tei/

Levin, D. A. (2021, March 10). THE STATE OF K-12 CYBERSECURITY: 2020 YEAR IN REVIEW THE STATE OF K-12 CYBERSECURITY: 2020 YEAR IN REVIEW. The K-12 Cybersecurity Resource Center. Retrieved April 2, 2022, from https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf

MS-ISAC. (n.d.). MS-ISAC. Center for Internet Security. Retrieved April 2, 2022, from https://www.cisecurity.org/ms-isac/

Palo Alto Networks. (n.d.). DNS Security. Palo Alto Networks. Retrieved April 2, 2022, from https://www.paloaltonetworks.com/network-security/dns-security