Cyber security is interesting in that there is encouragement and peer pressure to start with the most shiny of shiny things. Cyber threat intelligence is no exception.
When starting a cyber security threat intelligence program, most organizations have some fixed amount of resources and a lot of choices.
The examples would be numerous but here is a subset. You could focus on attribution (or knowing who might be targeting or executing a malicious campaign against our organization). You might want to understand your organization’s exposure of data posted on the dark web. You could also focus on the mundane such as ensuring that critical CERT and product advisories are identified, tracked, and patched in a formalized way within your cyber security program.
There’s a natural inclination to think of the shiny parts of threat intelligence such as attribution. But the sad truth is that, unless you are part of a global or government organization, you probably don’t have malicious actors targeting you often enough to to see a return on such an investment in resources.
My guess is that most organizations would be disappointed by the return on a significant attribution investment. It’s difficult and resource intensive activity that likely has a high rate of non-interesting outcomes. Mistakes by employees? All the time. Low grade cyber criminals? Every day. Low grade cyber criminals that have upped their game to include APT-level attacks? Perhaps. State actors? Probably not.
Certainly not the outcomes of dramatic cyber movie thrillers.
So, perhaps, there might be more tangible value in applying resources in some of the more fundamental aspects of cyber threat intelligence.
Formalizing the identification, tracking, and outcomes of critical advisories.
Identifying evidence of today’s malicious campaign artifacts elsewhere in the organization
Reconstructing lists of email addresses in malicious emails to determine from where they may have been sourced.
Not the cutting edge stuff. More often, having to work through quite mundane activities.
But the non-shiny outcomes are often the most valuable.
Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.
Reacting To Cyber Threat Landscape Changes