Congratulations! You’ve decided to operationalize your threat intelligence. We love to hear that! But, what does that mean? How do you do it, and where do you start? There is a lot of intelligence out there from what seems like endless sources; so, how do you begin to figure out what to use and how to use it? At Dragos, we understand that operationalizing cyber threat intelligence (CTI) can sound both daunting and nebulous on its own and it gets even more confusing when you have to consider the impacts to operational technology (OT) and industrial control systems (ICS).
As industrial organizations move further along the maturity curve in the development of cybersecurity programs, CTI is becoming an essential capability. When wielded with care, OT threat intelligence can be an important component of a strong OT cybersecurity program, enabling tangible improvements to effectiveness and resiliency and it will help keep operations secure.
In the past decade, the threat landscape has shifted drastically. Civilian infrastructure has been placed in the crosshairs by adversaries and deemed a viable target to both criminal operations and state actors. As a result, it falls on ICS defenders to take action to ensure the protection of employees and customers. One of the best ways to do that is by understanding the industry’s threat landscape:
- Who are the adversaries that target it, and what do they use?
- Where are they focusing offensive operations, and when do they do it historically?
- How do they do it from a behavioral analysis perspective?
These are all the questions that threat intelligence can help answer. By assessing and analyzing the answers to these questions, security teams can develop intelligence that guides better strategic and tactical decisions at all levels of an organization to secure crown jewels and protect human life. Below is a walk-through of some of the building blocks of threat intelligence – understanding these key components will help on the journey to operationalizing threat intelligence.
Data Sources
In its most basic form, CTI is data. This data, when properly refined, becomes usable information that affords an organization guidance on decision-making in security operations. Having a handle on data sources of most value to an organization enables repeatable processing and analysis to ensure timely, relevant employment of intelligence. CTI considers four primary data sources:
- First party data sources are the most prevalent to any security team. This is information on the organization’s networks, logs, policies and risk assessments, incident data, etc. This data IS intelligence in that it can be enriched with other sources to turn the data into actionable information.
- Second party data comes from “friends.” This can be intelligence from different organizations in the same vertical, industry trust groups, Information Sharing and Analysis Centers, trade organizations, etc. All sources that most closely align to the organization’s specific intelligence requirements and share similar threats fit in with second party sources.
- Third party data originates from the organization’s trusted circle. This is where vendor offerings like Dragos WorldView most likely fit in. Third party data can also consist of certain open-source reporting and government reporting like the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) or U.S. Computer Emergency Readiness Team (US-CERT).
- Finally, there is fourth party data – commonly referred to as “closed source,” which may originate on dark web resources. This data is valuable in that it can enable exercises like battle damage assessments to further contextualize a threat.
Components of Good Threat Intelligence
A simple acronym, CART best describes good threat intelligence. CART stands for: complete, accurate, relevant, and timely. By understanding the basic principles of CART, organizations can easily discern what intelligence needs to be shared and what can be ignored. Not all threat intelligence is equal – it is imperative that organizations understand how to distinguish between “good” and “bad” intelligence. Bad threat intelligence is dangerous; it leads to hype and wasted resources by operations teams. It is better to have good threat intelligence that is occasionally wrong than perfect intel that is always right, however. If you are getting perfectly correct threat intelligence all of the time from your sources, that means that they are just re-iterating publicly available information and conventional wisdom and not working hard enough to go beyond that.
CART Explained
- Complete – Intelligence should be sufficiently complete to guide the organization’s decision-making.
- Accurate – The faulty intelligence leads to bad decisions. It should originate from a trusted source and be vetted by the receiving organization.
- Relevant – the threat needs to matter to the organization; campaigns targeting video game developers likely do not matter much to critical infrastructure entities.
- Timely – Intelligence should be timely enough for the decision to have made an impact when actioned.
CART applies to producers of intelligence to consumers, like the Dragos Intelligence team, but it also applies to organizations looking to action intelligence, as processed intelligence is disseminated to internal stakeholders for actioning – making it a critical point to keep in mind.
Intelligence Audiences
There are several different audiences for CTI, each with different classifications and different concerns and needs of complete intelligence. Understanding your audience is critical because it informs how you present your information to decision makers and others. Presenting intelligence in a consumable and actionable way for each audience set is vital to getting the results you want.
CTI Audiences Explained
- Strategic audiences will focus on the long-range considerations of the key takeaways detailed in intelligence. Topics like the industry threat landscape, defining policy and risk assessments, budgeting, acquisition of tools, and security strategy will matter most to strategic personas.
- Operational audiences focus on more mid-range considerations. Focus is applied to security operations center (SOC) team structure and operational directives: where to assign personnel, what to have them focus on, and where on the network to add visibility and detection capabilities are most essential from an operational viewpoint.
- Tactical personas are concerned about the real-time execution of intelligence. Topics like critical vulnerabilities with published exploits, new information on indicators or behaviors actively targeting the organization’s industry vertical, and other consideration that should be actioned immediately.
- Technical audiences refer to toolsets and the implementation of threat intelligence. Automation is generally key for the technical implementation of intelligence. Actions like searching for notable behaviors in a security incident and event management (SIEM) system and triaging alerts, blocking known adversary infrastructure, tuning intrusion detection/prevention systems, and enriching first-party data with novel intelligence all occur with a technical audience in mind.
In Conclusion
Cyber threat intelligence, especially that which is focused on the targeting of ICS and OT, is a critical component of a strong cybersecurity program. Most security professionals in industrial verticals have heard of at least one or two key cybersecurity incidents impacting ICS, but it is now widely known that adversaries develop ICS-specific toolsets for kinetic impact to critical infrastructure. This trend demonstrates the importance of operationalizing ICS threat intelligence, as proactive security measures are even more important when factoring in the shift in the threat landscape for industrial vertical.
The stakes are often much higher for OT; cyber attacks on OT can lead to loss of life. The stakes cannot get higher than that, so ICS defenders must use every tool in their tool belts to prevent an impact that severe — including threat intelligence as a key component of defense in depth.
Ready to put your insights into action?
Take the next steps and contact our team today.