How to Define and Build an Effective Cyber Threat Intelligence Capability (2015)
Chapter 5. Translating Objectives into Needs, or “Why Drives What”
We illustrate the need to know your mission activities in order to help define your intelligence needs. In other words, the objectives that have been defined, or the business need that you are trying to meet, are not the same as a mission activity.
compliance and regulatory risks
data loss prevention
cyber awareness training
Internet Relay Chat (IRC)
indicators of compromise (IOCs)
Before reading any further, we should delve down into making a subtle but important distinction: The objectives that you have defined, or the business need you are trying to meet, are not the same as a mission activity.
Your objective is not to effectively patch vulnerabilities or defend against DDoS attacks or stop hackers from getting into your network. These are NOT business objectives. They are activities that support a business objective. The business objective might be, “mitigating the risk of increased costs or competitive damage that might ensue from data loss”. Those business impacts might include mitigation costs, higher customer-service call volumes, reputational damage, the CEO losing his/her job, or other calamity. If this is the business objective, then activities that support that objective should directly align with them. Just understand there is a distinction between the objective and the activities that support it.
Let us take another simple example. Suppose you define a business objective, for example, “ensure our agents do not make improper statements on their insurance agency web sites and cause a huge fine against our broker-dealer.” With that objective clearly stated, you can then define mission activities that support it.
We have chosen a compliance example here by the way, to help illustrate that “risk” is not always necessarily a “threat.” Threat should be, and often is, viewed as a subset of risk, and these concepts can blur, especially in finance organizations, pharmaceuticals, and other highly regulated industries. Compliance and regulatory risks may be as important as those tied to malicious activity, and you may very well find addressing these risks is included as part of your group mission. So, to return to our example, if yourobjective is to mitigate compliance risk, then a mission-supporting activity might very well be monitoring your independent representatives and agents to ensure that they do not say things or make promises that violate the rules related to selling registered products such as annuities or other financial instruments.
Here is another concrete example. Suppose your objective is to minimize the risk of a data breach by an outside threat actor, because breaches raise expenses and damage reputation, brand equity and customer trust, which in turn can reduce revenues. That is the business issue. In this case then, some aligned mission activities might include:
• Ensuring effective prioritization and management of vulnerabilities to reduce risk of infection and data exfiltration;
• Tagging of sensitive data and implementation of a data loss prevention (DLP) or monitoring system to track movement of tagged sensitive data; and
• Cyber-safety awareness training for employees to mitigate spear phishing and social engineering of those with access to the sensitive data or systems.
Once you know your mission activities, they will in turn help you define your intelligence needs. To continue:
• IF the business objective is minimizing the risk of a data breach; AND
• A supporting mission activity is making sure that your employees do not get spear phished, THEN
• One example of an intelligence need to support the activity would be a feed, or content that educates the relevant parties about the latest spear phishing attacks and related techniques and practices.
This is a simple example to be sure, but it is meant to show the sequential linkage from objective to activity to intelligence need. Why you are doing something, and what thing you are doing, will in turn define the type of information you need to develop or procure to produce usable, relevant intelligence. That is why it is imperative to start with “why” in order to then define “what.”
5.1. Illustration: translating the objective into concrete intelligence needs
Let us continue with concrete, tangible cases to make this as real as possible. For each of the examples above, if the objective is to prevent, identify, and investigate losses of sensitive internal data or intellectual property, then what are the actual mission activities carried out by the group of people who will sit in a room and do the actual work? And how does that list of activities translate into the actual intelligence needs (i.e., the “what” you need to develop or go out and buy)?
One activity might include understanding hacker and threat actor “TTPs” or tactics, techniques and procedures. How are they attacking other organizations? How did that recent breach in the news happen? How did they get into that organization? Who was responsible and what kinds of things do they commonly use to accomplish their goals? If gaining that knowledge is the required activity, then your intelligence need might be defined as a feed, content stream, education program, or other on-going service that educates your team about those threat actors and their TTPs.
Here is another aspect that might tie to this example. Suppose an activity that supports your mission is attempting to detect when data exfiltration is under way, or that a host on your network has been compromised. If that is a key activity, then what types of data could you use to support it so that you can in turn, generate intelligence? (You may recall that what many people sell as intelligence, by our definition, is not. But it may be the data you can turn into intelligence.) A vendor might offer a feed of IP addresses and domain names for current drop sites to which exfiltrated data is being transmitted. By taking that list of IPs and putting it into your infrastructure to prevent or monitor data egress, you now have something that can be applied to your organization, has potential business value, and produces an action or response. Thus, data from the vendor can actually become intelligence.
Another related activity you might define to support this mission is to detect or discover when sensitive data has already left the organization. One activity in support of this would be to scour the internet for internally sourced, or authored data, or documents, focusing in part on some of the sites and markets that are known to deal in such data, for example, PasteBin, Pastey, Pirate Pad, and the likes, hacker Internet Relay Chat (IRC) channels, and forums, document sharing sites like Scribed, Docstock, and Slideshare, or “leak” sites like OpenLeaks, Wikileaks. In this scenario, then, the activity is to monitor or check such sources for your own internal materials, and the data or intelligence need might be defined as a feed or service that automates or supports you by doing such searching or monitoring, gathering, screening, and delivering to you any sensitive materials that appear in these forums.
So to summarize, if, for example, the objective is to prevent or identify the loss of IP, and the activity is to scour the internet for evidence of IP that has already left the building, then your information needs might include social media or web-based data that indicates things that have left the building, or IPs, indicators-of-compromise (IOCs), or similar technical data that shows it is trying to do so. This is the brass tacks translating high-level business needs all the way down to the activities the group will actually undertake on a day-to-day basis, and the types of intelligence you need to go out and procure or develop internally to fulfill your mission.