Cyber security is interesting in that there is encouragement
and peer pressure to start with the most shiny of shiny things. Cyber threat
intelligence is no exception.
When starting a cyber security threat intelligence program, most organizations have
some fixed amount of resources and a lot of choices.
The examples would be numerous but here is a subset. You
could focus on attribution (or knowing who might be targeting or executing a
malicious campaign against our organization). You might want to understand your
organization’s exposure of data posted on the dark web. You could also focus on the mundane
such as ensuring that critical CERT and product advisories are identified, tracked,
and patched in a formalized way within your cyber security program.
There’s a natural inclination to think of the shiny parts of
threat intelligence such as attribution. But the sad truth is that, unless you
are part of a global or government organization, you probably don’t have malicious
actors targeting you often enough to to see a return on such an investment in resources.
My guess is that most organizations would be disappointed by the return on a significant attribution investment. It’s
difficult and resource intensive activity that likely has a high rate of
non-interesting outcomes. Mistakes
by employees? All the time. Low grade
cyber criminals? Every day. Low grade cyber criminals that have upped their
game to include APT-level attacks? Perhaps. State actors? Probably not.
Certainly not the outcomes of dramatic cyber movie thrillers.
So, perhaps, there might be more tangible value in applying
resources in some of the more fundamental aspects of cyber threat intelligence.
Formalizing the identification, tracking, and outcomes of critical
advisories.
Identifying evidence of today’s malicious campaign artifacts
elsewhere in the organization
Reconstructing lists of email addresses in malicious emails to
determine from where they may have been sourced.
Not the cutting edge stuff. More often, having to work
through quite mundane activities.
But the non-shiny outcomes are often the most valuable.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
Reacting To Cyber Threat Landscape Changes
No comments:
Post a Comment