Twenty years ago, every CISO would have been happy to simply have a full list of possible indicators of compromise (IOC) facing their organization. These lists were fairly simple at the time, so each organization’s security experts could memorize them and make sure they had a dedicated solution to each of the possible compromising factors.
But as the years passed, this practice was no longer practical. The world grew increasingly digitized, and IOC lists grew longer and more complicated as threat actors found new and more advanced ways to unleash attacks. This forced the cybersecurity community to evolve, and the conversation shifted to tactics, tools, and protocols (TTP).
Nowadays, there are millions of IOCs and hundreds of TTPs on any given organization’s list. We constantly develop new software and hardware to help protect against these attacks. And still, although the market is flooded with solutions, the problem persists. What can we do to compete against those sneaky, aggressive and sophisticated hackers?
A new approach: Using intelligence for cybersecurity operations
When I think about these problems, I am reminded of the rebirth of the state of Israel. My home country has now existed for over 70 years in the middle of what you might describe as a tough neighborhood. Israel has survived wars despite inferior financial resources, manpower and geography.
So, what’s the secret behind our continued military success? Superior intelligence.
As an Israeli Defense Forces (IDF) officer for over a decade, I saw first-hand how superior intelligence enabled faster, more effective operations. I’ll offer two relatively well-known examples: The “Iron Dome” technology and the military reserve units.
Israel developed the Iron Dome launcher to intercept missiles in the air. I won’t get into the technology, but I want to point out that the IDF does not have enough Iron Dome launchers to guard all its borders. Israeli decision makers must prioritize the placement of these launchers by finding advantages in the intelligence gathered, allowing the IDF to stay one step ahead of potential attackers and protect its borders.
The other example is Israel’s primary solution to solve its manpower issues: Reserve units. Since the country has a small population, the IDF recruits reserve soldiers to strategically bolster its strength to ensure enough troops are in the right places in the event of an attack. Historically, Israel has been prepared for most wars because of its good intelligence and well-placed military units.
However, history buffs will likely remember that the country almost perished in 1973 because it had poor intelligence at its disposal. This undoubtedly contributed to the IDF prioritizing superior intelligence. Israel is small and has limited military manpower, but it overcomes its daunting challenges by outsmarting its enemies.
How does all this military talk relate back to cybersecurity? When I think about the problems facing the average CISO, I think about how the IDF lacks experienced soldiers, is financially strained, and, above all, is forced to prioritize its resources carefully and tactfully to thwart attacks. Security leaders are familiar with these same challenges – they know attacks can come from anywhere at any time and often lack the “soldiers” they need to properly defend themselves. How can CISOs maintain strong defense operations to these complex threats?
The answer: Pairing intelligence and cybersecurity. I spoke about this convergence at Cybertech Tel Aviv earlier this year. When I talk about intelligence, I have two primary components in mind: Asking questions and answering them. The first part may seem like a no-brainer, but it’s more complex than it may seem.
Don’t just ask questions about cyber intelligence – ask good questions
A good intelligence question is not obvious. It must be specific and measurable, relevant to an actual threat, time-sensitive, and posed in a way that can be answered. Good intelligence questions are the result of a strong preparation process that involves a deep understanding of the current situation’s threats and opportunities. For example, a CISO in the aviation space might ask, “what are the current cyber threats in the aviation sector?” This is a bad question; it’s too vague and generic, it’s not measurable in any way, and it’s not time-sensitive.
Aviation is a massive industry with countless potential threats. Is the CISO interested in airport threats? Airplane security? The economic impacts of aviation cyberterrorism? The CISO could demand a full report about all these matters, but by the time it’s researched, written and published it may no longer be relevant – or it could be too late to protect the organization.
Instead, I suggest the CISO start working with intelligence experts to better understand the threats. A good process should always include defining the core need and creating the relevant frame: Are we looking to unlock a secret, or solve a mystery? What is the potential outcome of each possible answer? What is the desired scope? What is the expertise level of the CISO’s team?
After that, we need to define a good question that would help this CISO prioritize tasks. Using the aviation example, a better question could be, “how many new cyber threats and TTPs emerged in the last six months threatening airports in my region?”. This question is specific, it’s measurable, and it addresses a specific time period. Now we can go about answering it effectively and thinking about solutions to any potential problems we identify.
Finding intelligent answers to good intelligence questions
Answering intelligence questions intelligently can be even more challenging than determining which question(s) to ask. I believe the most important part is much like the key to asking the question: The process. What signatures in the data will reveal the answer? How do we ensure we do not miss any transactions? How can we use the meta-data to get closer to the answer, without sacrificing resources?
Every intelligence expert knows a good answer always begins with good sources. Imagine my goal is to mine gold and I had these two options:
- Option A: A rich gold mine with disabled miners
- Option B: A dry gold mine with commando soldiers
I would always take Option A. Intelligence is only as good as its sources, and a good CISO should focus resources there. It’s not only about the development of the sources; it’s also about continual monitoring in today’s dynamic environment.
I talk with CISOs and security experts every day. I admire their knowledge of defense and security strategy, but it is clear to me that they should lean more on intelligence experts to be more prepared and efficient.
At IntSights, security and intelligence experts work together, combining our experience and methodologies in both fields to create the best product in the industry. We tailor questions to each problem while continuously collecting and monitoring sources for ongoing, timely intelligence. I truly believe our scalable solution can make a significant improvement in every organization’s need to identify new threats, allocate their resources and effectively defend themselves from increasingly complex cyberattacks.
See for yourself how IntSights integrates intelligence with security by scheduling a free demo with our team.