Last week, the SANS Institute published its 2019 Cyber Threat Intelligence (CTI) survey, and boy, did it contain some interesting nuggets! SANS surveyed CTI pros on a range of topics: current adoption of threat intel tools and feeds, how to connect CTI to business value, and common pain points many still face today.
I highly recommend you read the full findings from SANS (link above). But if you’re short on time, here are my key three takeaways, best practices we can cherry pick, and how I see the cyber threat intelligence industry evolving in 2019.
#1: CTI Lives And Dies On Its Value To Security
This report shows crystal clear that threat intelligence drives value to security teams, security operations, and security strategy. In fact, a whopping 81% of respondents said their CTI efforts had meaningfully improved their security (prevention and detection) AND their incident response.
It’s great to see threat intelligence transition from conceptual and strategic to operational and tactical. There’s still a lot more work to keep CTI maturing in our respective organizations. But I expect this trend to gain momentum over the next year and beyond -- as CTI further embeds itself into even more cybersecurity use cases. CTI will morph from “nice-to-have” and “bolted-on” to “must-have” and “embedded” within the security technology stack.
#2: Threat Intelligence Leaders Must Drive Cross-Functional Interaction
One stat that shocked me was that only 14% of organizations seek out input from other departments as they set CTI requirements. Making matters worse, only 6% of threat intel teams have active members from other business units within the organization. Insulating threat intelligence programs is a critical error. We need to encourage diverse stakeholder participation from a variety of business and risk owners, both to ensure holistic coverage and response, and even more importantly, to garner broad, companywide support for CTI activities.
Brand security and customer trust must become core CTI objectives. Your organization’s digital footprint is innately connected to your business and your brand. Whether your tailored threat intel detects phishing and typosquatting, account takeovers, social media or mobile app impersonations, or exposed customer credentials – they are all connected to your brand, your people, and your valuable and sensitive data. These attributes and associated metadata in turn inform your intelligence strategy, enrich context, and reduce noise from false-positives.
#3: Operationalized Threat Intelligence Is The Future
Let me cite one of the takeaways from this year’s SANS CTI survey:
“Operationalizing narrative-based intelligence reports…is time-consuming for CTI analysts. A lack of automation for these reports makes them especially time-consuming.”
The mantra we must live by: Insight to action. Keep repeating this, to yourself and your team. When intelligence is actionable, IoCs become outcomes and mitigation becomes automation.
Moreover, intelligence cannot be generic. As SANS finds, the more specific, the better:
“The more specific intelligence is, the better. Respondents report that intelligence on the general threat landscape is useful, but not as useful as intelligence specific to their industry, their brand and even their executives.”
Despite the clear value that actionable and tailored CTI offers, SOC and threat analysts struggle to consistently curate it. Automation and integration is the key here, which makes sense given that it’s one of the acute pain points that threat teams struggle with today. When asked to rate their satisfaction with the gamut of CTI tool capabilities, “Automation and integration of CTI information” was at the bottom of their lists, ranking 11th out of 14 capability areas.
Start Small, Add Scenarios Over Time
Perform a CTI gap analysis to evaluate your current CTI maturity. Then, identify one or two use-cases to roll out and ramp up the necessary proficiencies, first. For example, you might choose credential and data leakage detection as an initial CTI initiative. It’s a pervasive problem, one of the most common “goods” you can find on the dark web, and the mitigation procedures are relatively straightforward (compared to others).
There are lots of other good stats and findings from the 2019 SANS CTI Report. No matter your role or your department, I highly recommend reading through the report. I’m confident you’ll find something of value for your team in the year ahead! And please connect and continue the conversation with me on Twitter: @nickhayes10.