Setting up a threat intelligence program can seem overwhelming. There are a lot of models out there and much has been written about sources and methods and analytical tradecraft, but finding the right fit based on your company’s resources and requirements can be difficult. To make things easier and more tailored, it may be worth considering a different, more pragmatic approach that allows an organization to develop an understanding of their threat environment in plain language.
This blog will be the first in a series of posts laying out a straightforward approach to develop a rudimentary threat intelligence program by identifying 1) what to protect, 2) who may want that data, and 3) how to get information related to potential threats in a format useful to your organization. These blog posts serve as companion pieces to our previous blog post on the importance of Priority Intelligence Requirements (PIRs) as the first two in this series can help prepare and create PIRs. For this first post, we are focusing on identifying what cyber threat actors may want.
Where to start?
The first step in starting a threat intelligence program is identifying what you have and want to protect. This thought exercise requires examining this issue from both your perspective and that of the threat actors out there… so really, it’s about figuring out what’s important to YOU and what’s important to THEM. Being able to summarize these easily and succinctly is at the core of a good threat intelligence setup.
What do you see as important?
The first part of this is figuring out what’s important to YOU. This means identifying what are the critical assets for your business operationally (i.e., what do we need to keep our business running) and any other properties you mark as integral to your company (i.e., intellectual property, data, or other unique aspects of your business).
- Operational considerations: These can include something as basic as money and financial information (which would be common across all businesses) but should also include considerations around what critical technologies and/or software are imperative for your business and what vulnerabilities may impact them. Your considerations may also include Industrial Control Systems or Internet of Things devices that need to be monitored for potential threats. Customer data also falls into this category.
- Other considerations: These considerations are focused on what makes your company unique. Is it intellectual property? Research or other unique and/or sensitive data? What data, access, or processes might your company have that is valuable to you?
What do adversaries see as important?
The second part of this process if taking a step back and looking at your company through the eyes of a potential threat actor… what does your company offer that may be of value to a cybercriminal or a nation-state cyber threat actor. Many times, this will overlap with what is already important to you- money is the most obvious case here. Ransomware groups and other cybercriminals are financially motivated. Your intellectual property may also be of particular interest to certain nation-state groups (e.g., data related to energy technologies is of particular interest to China). Another point to consider is your customer base are and/or what companies you may be connected to. This has been highlighted recently in a US government advisory on threats to critical infrastructure, in which small and midsized businesses are warned they may be targeted given their business relationships with larger critical infrastructure entities.i
What next?
Identifying what’s important is the first step in building a threat intelligence program. In the next blog post in this series, we’ll take a look at which threat actors may be interested in your company based on what you’ve identified through this process so that you can track these groups and how they operate. Knowing this can allow you to align your defenses against the most common threats you are likely to face and maximize your return on your cybersecurity investments.
