I spend my work days digging through SurfWatch Labs’ cybercrime data and writing blogs and reports on the latest cyber threat intelligence trends, so it should come as no surprise that among my friends and family, I’ve become the “cybersecurity guy.”
In fact, many of those same people in my personal life would be happy to shove everything “cyber” in a box and put it far out of sight to never deal with again. Because of this, I’m not shocked when I read the latest studies about those in the C-suite having that same attitude — such as 90 percent of corporate executives saying they cannot read a cybersecurity report.
I have a confession to make myself: I’m not much of a technical IT guy either.
I view myself as more of a business analyst, and through that lens, the separation of cyber risk and business risk doesn’t make much sense. My sister getting Craigslist messages trying to dupe her out of money is no different than the scammers on the street pitching their elaborate stories in person. Likewise, a competitor stealing employee credentials in order to access valuable intellectual property isn’t much different than the paper-driven corporate espionage that existed before the Internet.
It’s the same risk, just in a different medium. If anything, the main difference is in volume. Actors halfway across the globe can target your organization, and expanding digital supply chains means there is a growing number of attack vectors and an ever-changing list of exploits that can be used to steal that information.
You may not be an expert on a specific threat or a risk out of the box, but that’s where cyber threat intelligence can help. With the right intelligence you can make more informed decisions that can dramatically improve your cybersecurity and resiliency.
Dashboard of Consumer Goods risk from SurfWatch Threat Analyst
I’m reminded of a famous quote attributed to Socrates: “The only true wisdom is in knowing you know nothing.” Cyber threat intelligence is the wisdom that although individually we may know nothing, collectively we have great knowledge that can be leveraged.
Much has been written about cybercrime-as-a-service model and the way that malicious actors leverage past successes and individual expertise to create more effective tools and tactics. Cyber threat intelligence is about having that same effective and coordinated approach to risk management that the bad actors have when it comes to trying to exploit cyber risk.
The cybersecurity conversation has come a long way over the past few years, but what’s still missing from many organizations is that coordinated approach to cybersecurity — one that begins at the board of directors and goes down to the newest employee. As we previously noted, a proactive strategy backed by an engaged C-suite and board of directors has been shown to reduce the growth of cyber-attacks and data breaches.
It’s easy to berate the clueless executive, but I try to imagine them with the same level of knowledge that I once had — before I first picked up the phone, began interviewing cybersecurity experts, and had all of this cyber threat data at my fingertips.
We don’t all have to be experts. There are plenty of experts out there already. What those organizations need is a way to harness that collective knowledge, to compare that external data against their own internal intelligence, and to have that cyber threat information presented in an ongoing, easy-to-understand manner.
When customers ask our analysts about new threats or use our threat intelligence to improve their organization’s cybersecurity, we’re all working together to better defend against malicious actors by focusing resources on the threats that directly impact each organization. That collaboration and sharing of knowledge is what cyber threat intelligence is all about.
I began at SurfWatch Labs several years ago with one primary directive: be a story teller. Cybercrime impacts everyone, I was told, yet many business owners, executives and employees know next to nothing about cybersecurity.
For the most part those people were either unaware, assumed their business would never be a targeted by hackers, or put the onus on the tech guys to handle those threats. Those who did take cybersecurity seriously and wanted to learn — well, without a technical background cyber-related writing has a tendency to induce a mini-coma within the first three paragraphs.
Essentially, there was large disconnect between the numerous cyber-attacks and data breaches and everyone who was being impacted by those incidents. That gap has closed quite a bit the last few years, but a gap still remains. Unlike regular crime, which tends to evoke much a more visceral reaction, cybercrime and the reporting on it often feels one step removed from our daily lives. Even as we currently find ourselves speculating how cyber-issues could help decide a presidential election, people are still surprised when they become the target of a cyber-attack.
Take Patrick Feng, an adjunct assistant professor who studies technology and sustainability policy at the University of Calgary in Canada. As Scientific American reported, on May 28 a ransomware attack left many of the university’s researches locked out of their own data and email, leading the university to make a ransom payment of $15,500 to ensure nothing was lost.
“Even though I teach technology policy, and am aware of these kinds of issues, I still thought it was never going to happen to me,” Feng said.
Yes, presidential candidates are targeted, but little ol’ me? C’mon.
That disconnect is why I wrote back in 2014 that the story of celebrity nude photos being stolen may have been the most important cybercrime event of that year:
For most of us, we are not celebrities, and it does not affect us. But when I read that story, or stories like that of [Miss Teen USA] Cassidy Wolf, who described her reaction to being sextorted by a similar creep – “I literally threw my phone across the room and started screaming. It did not feel real, it was like a horror movie.” – it stays with me in a way that a hundred stories of credit cards being stolen from Home Depot will never do.
We need stories to help spur action across all aspects of our lives, including cybersecurity. In a sense, that is what effective cyber threat intelligence is all about. Our goal here at SurfWatch Labs is to tell those stories, to help connect those dots so that everyone from the newly hired employee to the board of directors can understand the risks posed to them both individually and to their organization as a whole.
It’s also why charts like this are among my favorite ways to look at SurfWatch Labs’ cyber threat intelligence data — not because it’s a useful chart in any practical sense, but because of the way it highlights this year’s cybercrime events and shows the stories that collectively we are, and aren’t, paying attention to.
This chart shows the more than 1,000 industry targets SurfWatch Labs has collected data on this year (not including dark web data), as well as the date they first appeared in our data and how many CyberFacts we have collected pertaining to each organization.
In the cybersecurity space, we tend to define time by the major breaches — Target, Home Depot, Sony Pictures, Anthem, the U.S. Office of Personnel Management, Ashley Madison, LinkedIn, the Democratic National Committee — but doing so can negate the real story. As we noted in our recent cyber trends report, most attacks are not sophisticated. They are not high-profile incidents that garner national headlines. Rather, they are a steady wave of relatively simple and often automated attacks that continues to wash over those without proper awareness or understanding of their cyber risk.
Only a tiny fraction of cybercrime events cross over that gap and become part of the public consciousness. For the many more organizations that remain under the radar, cybercrime still has significant real-world consequences — as well as for the employees, executives, shareholders and boards of directors that are tied to those various data breaches, denial-of-service attacks, extortion attempts, account takeovers, cyber-espionage, insider threats and other forms of cybercrime.
With cyber threat intelligence becoming one of the latest cybersecurity buzzwords, people are often trying to define what it is. What’s the proper balance between raw data and human analysis? Who is the target audience? How does that intelligence translate into specific action? In simpler terms, it is just telling the story of your organization’s cyber risk — with proper context and in a way that everyone can understand and take action on.
To continue to close that cybersecurity gap we need more training and more technological innovations and more smart leaders, but we also need to connect all of that together and drive progress forward somehow. That’s what cyber threat intelligence, and the stories it can tell, is all about.
It should come as no surprise, but data breaches are costly for organizations. Each stolen record containing sensitive or confidential information costs an organization an average of $158, according to the 2016 Ponemon Cost of Data Breach Study released last month. That price more than doubles – to $355 – when looking at a highly regulated industry such as healthcare.
Those costs add up. The final tally for an average breach is now a whopping $4 million. That’s up from the $3.79 million last year and a 29 percent in total costs since 2013.
Clearly, data breaches have a significant impact on business. In fact, the biggest financial consequence often comes in the form of lost customers, according to Ponemon. The findings confirm what others surveys have recently reported: consumers are increasingly unforgiving when it comes to data breaches, particularly younger generations.
A FICO survey found that 29 percent of millennials will close all accounts with a bank after a fraud incident. Not only will they take away their own business, a significant percentage will actively campaign against others using the bank. A quarter will turn to social media with negative posts, and more than a fifth will actively discourage their friends families from using the services.
Can the C-Suite Make a Difference?
It’s not all bad news when it comes to cybercrime-related research though. In fact, The Economist Intelligence Unit recently found that certain types of organizations are having at least some success when it comes to fighting against the tidal wave of cyber-attacks. Making cybersecurity a priority at the top of an organization can have a significant impact on cyber risk.
According to the survey:
A proactive strategy backed by an engaged C-suite and board of directors reduced the growth of cyber-attacks and breaches by 53% over comparable firms.
This includes a 60% slower growth in hacking, a 47% slower growth in ransomware, and a 40% slower growth in malware attacks than their less successful counterparts.
Successful firms were also 56% more likely to maintain a standing board committee on cybersecurity.
Unfortunately, many organizations are either overwhelmed with low-level data and tasks, or they are unable to clearly articulate relevant threats to those executives. This leaves them more vulnerable to the various cyber threats facing their organizations — and the potential costs and other fallout associated with those incidents.
That’s why it’s crucial that those in the C-suite and on the board of directors have strategic threat intelligence — including dark web data on the cybercriminals themselves — provided in a clear, concise and ongoing manner. It is possible to stem the tide of cyber-attacks with a combination of the proper leadership, expertise and tools, but all too often those organizations are operating without a crucial piece of the puzzle — the high-level threat intelligence to help guide those decisions.
Taking Action with Threat Intelligence
Much has been written about the cybersecurity knowledge gap in the C-suite; however, that issue runs both ways. Earlier this year, ISACA released its State of Cybersecurity: Implications for 2016report, and they found that respondents “overwhelmingly reported that the largest [skills] gap exists in cybersecurity and information security practitioners’ ability to understand the business.”
This is a crucial problem as security experts continue to hammer home the point that cybersecurity is no longer an IT problem, but a business one. Cybersecurity employees understanding business concerns and business executives understanding cybersecurity concerns isn’t just an aspiration, it’s a necessity for properly managing cyber risk.
That collaboration and understanding is at the heart of effective cyber threat intelligence.
Effective threat intelligence empowers those in the C-suite and board of directors with relevant and easy-to-comprehend information about the most important cyber threats impacting their business, their competitors and their supply chain. Effective threat intelligence also serves as a guidepost for those in IT to ensure that tactical defenses and resources are aligned with the most pressing business concerns.
In short, threat intelligence is a key component in getting away from the never-ending game of whackamole that results from blindly chasing down the latest headline-grabbing cyber threats and instead operating with a more thoughtful, harmonious and strategic approach. It’s applying the same combination of technical analysis and business insight that are commonplace in other key areas of the organization in order to achieve the biggest return on your cybersecurity investment.
It’s no wonder then that those organizations are seeing the best results when it comes to reducing their overall cyber risk.
I recently had the pleasure of sitting down with Larry Larsen, Director of Cyber Security at Apple Federal Credit Union, to learn about the cybersecurity challenges they face and how threat intelligence fits into their overall approach to risk mitigation.
Larry explained that his primary objective is two-fold: to protect member information and assets, and to protect Apple FCU’s organizational information. With increasing complexity around cyber, he discussed with me the need for threat intelligence to become more apparent. Beyond just blocking threats, he wants to understand what attackers are trying to do so he can prepare as best as possible. And while there are many sources of open source threat information, intelligence takes it a step further by correlating patterns of behavior that the cybersecurity team at Apple Federal Credit Union uses to guide their efforts and anticipate threats before they occur.
When it came to discussing how they use the intel from SurfWatch Labs, Larry said that it has “led to direct changes in Apple FCU’s infrastructure due to emerging threats we would not have known about as quickly if we did not have that pattern analysis and comprehensive picture.”
In this 5 minute clip, you can learn about how strategic and operational threat intelligence are used throughout the organization – beyond just the cyber team – to prepare for impending threats and reduce risk.
Cyber threat intelligence offers an in-depth look at the potential threats and attack vectors facing an organization. Each organization is different, and in these differences there are a variety of ways cybercriminals can exploit a company. Security tools such as firewalls and antivirus software protect against several of these threats, but they cannot protect an organization from everything. This is where cyber threat intelligence plays a crucial role.
Threat intel gives an organization the ability to identify threats, understand where any lapses in security have already occurred, and gives direction on how to proceed concerning these vulnerabilities. This is a lot of information for any organization to handle on their own, especially since the cyber landscape continues to change.
“The field is constantly growing and evolving; there is no shortage of cyber information, which means it can be very easy to get overwhelmed with it,” said Aaron Bay, chief analyst at SurfWatch Labs. “We sometimes forget to take a peek at what is going on with the rest of the world.”
Yesterday we talked with Bay about the role of the cyber threat analyst. Today we finish our conversation, and focus on how threat intelligence can help organizations.
Why does a company need to implement threat intelligence on top of their existing security?
Having security tools such as firewalls and antivirus software is critical; you have to have them. If you don’t have these tools, you are already at a disadvantage. These security tools are paramount, but the information derived from them can be overwhelming. From what I have seen, a lot of time companies will simply buy these tools, plug them in and forget about them. From a threat analyst perspective, what we do when we give companies information about threats affecting their industry is show them the known mitigation of the threat. We can only lead the horse to water; we can’t make it drink. But if we can give organizations enough pertinent information where they are asking, “Does my defense actually protect us against this?” that goes a long way.
A lot of the time companies are putting up boundaries to stop threats from getting in, but they might not necessarily know when information gets out. They may be breached, and their information could have been compromised. They could also be attacked at a point they weren’t protecting such as point-of-sale systems. A bank has credit and debit cards, and the bank itself is usually pretty well protected against direct attacks. All of that can be defeated by a skimmer on an ATM. Knowing these attack vectors and knowing this is another way cybercriminals can get to your customers’ data can really help mitigate risks. If we as threat analysts are looking for these attack vectors and alternative methods, then we can help an organizations be better prepared and protected against threats.
Cyber threat intelligence is a relatively new avenue in cybersecurity. Are companies seeing value in this?
Cyber threat intelligence is still a growing field; it is definitely still evolving — as it should be. Threats are evolving, so this field that focuses on these threats is evolving as well. I think, for the most part, everybody is doing the best job that they can. It’s hard for a business to feel like they are getting a return on their investment from IT security in general. When you get that big win, when you catch something that no one else caught, either protecting some data or helping stop something before it became a big deal, then it is easy to see the value of it. For companies, as long as everything is working, the people who make decisions about IT and their infrastructure don’t necessarily want to know what goes into keeping everything running. They just want it to work. If everything is working, it is easy to not respond and spend money on keeping everything running. In their mind, everything is working. It appears that not much has to be done to keep things running, why would they spend more money on it?
How can companies providing cyber threat intelligence improve?
If there is a way to improve our field it is really just to work together as a community to make sure companies understand the value of cyber threat intelligence. I feel like we are doing a good job, but I feel that the industry isn’t ready for the message. These companies are being attacked left and right, and it feels like all we are doing is showing up and telling them they need to be doing security better. To actually translate everything that is going on, distill it and focus it on the company specifically is really the best approach. I am glad that SurfWatch Labs is going down this road. Showing companies why they need to care about this information that is being presented to them is very valuable.
I also think that internally, for our customers, we sit between business operations and the IT department. We aren’t just supporting IT security or just enabling compliance with the various IT regulations a business must adhere to. A Cyber Threat Intel Analyst should be assisting the translation between business units — and the various IT and cyber risks they face — and helping them understand sometimes how two separate threats are actually part of a larger threat against the company. I believe that is when we can really show our value.
For example, let’s say an attacker breaks into a company and steals credentials to the gaming platform that is hosted by that business. The network defense team should detect that and stop it. If a new attack is being used that has never been detected before and no signatures have been created for it yet, it’s possible the attack may go unnoticed. Soon after this undetected attack, separately, your cyber threat intel analyst discovers that someone dumped some credentials to your game on the dark web or is selling them. If that credential dump is only passed on to a third group such as customer service in order to reset accounts, but the network defense team isn’t made aware, then the source of the leak may not be plugged. Or if the developers are not notified, and the vulnerability came from a bug in the software that the company created, then again the problem will still be there.
What are some of the achievements cyber threat intelligence has accomplished. Is it changing the game?
It is changing the game for sure. Some of the big wins cyber threat intelligence has gotten comes from exposing malicious activity in general. When you can find those hidden gems and expose what is going on those are the big wins. Seeing the new carding efforts and all the things that are going into combating organized crime is very rewarding. The big ones are of course things like uncovering STUXNET, and all of the pieces that went along with that. The Mandiant APT1 report I think spawned a whole new movement with regards to CTI, some good some bad, but it got a lot of people to sit up and take notice, and that’s really what we want.
Final thoughts?
We talked about how new the field of cyber threat intelligence is, but that is also exciting. Being in a field with all of this different stuff going on makes cyber threat intelligence a very exciting field to be a part of and stay focused on. I look forward to the future.
As cybercrime continues to grow and evolve at a rapid pace, organizations are faced with difficult decisions in finding solutions to this problem. Deploying security tools to combat cybercrime is a crucial part of this dilemma, but this brings with it the herculean task of attempting to process massive amounts of data in order to keep up in the game defending against cyber-attacks.
In order to get the most up-to-date and accurate cyber threat intelligence, SurfWatch Labs employs talented analysts with a focus on threat intelligence. These threat analysts are the backbone to a new and developing field of cyber threat intel, providing valuable information to organizations that go well beyond identifying threats.
“Being a threat analyst often requires being a chameleon or wearing many hats,” said Aaron Bay, chief analyst at SurfWatch Labs. “You need to be able to understand the technical side of security, navigate among the various hacker and cybercrime forums on the dark web, understand business risk, and then distill all of that information into valuable intelligence that can be easily understood by business executives. It’s not an easy role, but it is one that is becoming increasingly important to organizations.”
We spoke with Bay to get some insight about the role of a threat analyst and how cyber threat intelligence can benefit organizations.
Tell us a little bit about being a threat intelligence analyst.
Being a threat analyst feels a little bit like a cross between a weatherman, an interpreter and someone trying to find a needle in a haystack. It’s not just about knowing the latest attacks and staying up on the latest jargon. There is a lot of translation that has to take place to get that information to the decision makers in such a way that they can actually make a decision based on it. So being able to speak “cyber” but also being able to translate that to someone who is not a cyber person takes some work as well. Powerful Google-fu is also helpful in this position; even though Google is not the only source, knowing how to find data using it and other tools is invaluable.
Describe your typical day.
Aaron Bay, Chief Analyst at SurfWatch Labs
My typical day is probably a little bit different than most cyber threat intel analysts. Because SurfWatch Labs focuses on the bigger picture, we aren’t typically gathering the latest signatures from the latest malware or putting together snort rules for all the new bad stuff that’s been detected by various sensors or honey pots.
I spend a lot of time reading blogs, Twitter, various forums and general Web searching. To support SurfWatch Labs’ customers, a lot of my focus is on them: what they’ve said is most important to them, things they want to stay aware of, constantly looking for information that may be of interest to them in general, keeping track of that and reporting it to them, and then getting their feedback on what we’ve told them to tailor our internal processes so that we constantly evolve and stay current with their needs, as well as stay current with the threats out there.
Is being a cyber threat intel analyst mostly about IT security?
Firstly, I think the term IT Security is becoming archaic. When it is used, the person who hears it or uses it has a preconceived notion about what IT Security is. Computers and routers and switches and firewalls and all things traditionally associated with IT security come to mind. But our businesses and our personal lives have become so connected and dependent on technology, that just calling it “IT” seems to leave out things that should be included, but aren’t. I have to say that I am not a fan of the term “cyber” or “cybersecurity,” but I can understand the reason for having a new term that’s a little more ambiguous.
Credit cards used to just be numbers printed on plastic read by zip-zap machines until magnetic strips were created and used to save information in a way that could be read by a computer and transmitted via telephone back to your bank. Forty years later, those are being replaced by sophisticated memory cards that keeps your information encrypted. Do you consider your credit card to be IT? You should. Credit card fraud has been around as long as credit cards, and the more IT we throw at the problem, the more it becomes an IT security problem. I know that banks and organizations like Visa consider this an IT security issue, but most people still do not, I would assume. And that’s just one example.
For a Cyber Threat Intel Analyst to do their job correctly, they need to understand that it really is about IT security, but the scope is usually bigger than most people realize. The analyst needs to be aware of that, but they need to help their employer or customer understand that as well.
What is one of the biggest things to understand about cyber risk?
Typically, cyber threats enter an organization by way of something every user touches: browsing the web, reading their email, opening files, etc. Traditional IT security has been tasked with solving that. But that’s not the only way cyber threats can harm an organization. As soon as you do business with another organization, the scope of your risk increases. You have to send and receive information from them, send and receive money from them. This information is at risk if one organization protects it less than the other. If pieces of the business are outsourced, whatever that is, it’s now at risk to however that third party protects its business or its infrastructure.
Some of this even just comes in the form of what software a business chooses to use for its customer portal, where customers can post questions or the business otherwise interacts with its customers. Any vulnerabilities in that software or where that software is hosted translates to risk to the primary organization. Again, none of this is meant as a reason not to function this way, only as a way to say that these risks need to be understood and monitored. As new threats or attacks or vulnerabilities are discovered, an organization needs to be made aware of them so actions can be made to mitigate or remove them.
What are some cybersecurity trends you are seeing as a threat analyst that are concerning?
The biggest trend I am really starting to see is the continuation of cybercriminals using cyber means to make money. They steal credit card numbers, people’s personal identities, and the profits from these crimes and frequency of attacks continues to grow. Ransomware is now growing. It’s not growing because people think it is funny to do. It’s growing because people are making a lot of money off of these attacks. In these attacks, cybercriminals don’t care about obtaining information from our computer. All they care about is getting you into paying them money to get back your information. This is a scary trend, because it is really working.
Denial-of-service is still going on; people will pay to conduct denial-of-service attacks or pay ransoms to have these attacks stopped. It will be interesting to see what attack shows up next in an effort to make money.
To encapsulate that trend, it is becoming a lot more organized. In years past, the traditional “organized crime” groups were the only ones really making money off of cyber attempts. Today, however, all parts of cybercrime are becoming more accessible, and as it becomes easier a lot more people are going to be doing it.
Along that vein, attacks that produce the most results are of course going to trend. Ransomware as I mentioned, but a lot of businesses are getting better at detecting and eliminating threats … but don’t quite understand or monitor threats coming from their third-party suppliers, so attacks will start to come from that angle.
What is your biggest fear as a threat analyst?
My biggest fear is people not taking this information seriously or people not thinking it is useful information. I am fearful that people view this information as no big deal, viewing it as just another report and moving on. I hope that companies feel this information is useful, and it is taken seriously instead of thinking they don’t need the information anymore. Some of that could be that an organization doesn’t quite have a mature enough cybersecurity program so it can’t properly digest and protect against what an analyst may be telling them. The failure of the analyst to correctly translate risks and threats and trends into something meaningful could also contribute to the message being lost.
In the next post, Aaron shares his thoughts about how cyber threat intelligence can help your organization.
As cyber incidents proliferate, security experts continue to stress the importance of cyber risk strategy starting at the top of organizations. However, a recent report surveying more than 1,500 non-executive directors, C-level executives, Chief Information Officers, and Chief Information Security Officers found that some organizations still have a big knowledge gap when it comes to cyber threats.
Only 10% of high vulnerable respondents agree that they are regularly updated about pertinent cybersecurity threats
More than 90% of high vulnerable board members say they can’t interpret a cybersecurity report
Only 9% of high vulnerable board members said their systems were regularly updated in response to new cyberthreats
Many of these organizations are concerned about potential cybercrime. All of them are likely doing something to combat cyber risks. But they’re not getting updated on important threats, they cannot understand the updates that do come through, and as a result they do nothing.
That led me to wonder if we’ve all gotten stuck in the same methods of looking at the same things in the same way day after day without ever taking a breath and a step back and asking, “Wait, why am I doing this?”
The Penny Test
There was a fascinating story on the news awhile back about people getting wrongfully convicted based on faulty eyewitness testimony.
In fact, according to the Innocence Project, “Eyewitness misidentification is the single greatest cause of wrongful convictions nationwide, playing a role in 72% of convictions overturned through DNA testing.”
However, the point wasn’t that eyewitnesses are being careless or that they are just plain ignorant, it’s that without having the whole picture — the complete context of the situation — it’s natural to make a simple mistake that can cost a person decades of his or her life.
To illustrate, let’s do a variation of the Penny Test using a six person “lineup” to see if you can identify the “real” penny.
Which penny is correct?
If you’re like most people, you’ll eliminate a few possibilities, narrowing it down to a couple of choices. Then, over time — and along with other factors that may reinforce your decision — you grow more certain that, yes, that penny you’ve chosen is definitely the right one.
But here’s the problem with the story I’ve given you: it’s incomplete. I failed to mention the possibility that the correct version of the penny might not be there at all.
That’s one of the problems with the human mind, it wants to pick something, and it’s one of the many problems that can arise from eyewitness identification.
All of the pennies were wrong.
Cybersecurity Blind Spots
That lack of context can also be a real problem when it comes to managing cyber risk. Without having the whole picture, it’s natural to invest in the wrong areas or to make a mistake that leaves an organization vulnerable to cyber-attack.
This is what many of the recent studies and surveys have been reinforcing. The IT team is wasting their time elbows deep in low-level data and investigating red flags, never having a chance to think about or act on a high-level strategy. Executives don’t even know what aspects of their company are at risk, so they’re fumbling around in the dark and relying on vendors for the answers.
The problem with that? They’re biased.
Just as the cops in the world of traditional crime may lead a subject towards a certain perpetrator (“We thought it may have been number three too.”), a vendor may lead you towards their biases — regardless of the true risk profile and needs of your business.
When you’re assessing cyber risk, remember that one option is always “none of the above.” The answer might be something else entirely.
Understanding Complete Context
Many organizations have these cyber blind spots. For example, most organizations don’t assess the security of third-party partners or their supply chain, yet we’ve seen dozens of data breaches that begin from these very avenues.
If relevant cyber threat information is available, it often doesn’t make its way to those with the ability to actually make changes. And if it does get passed along, those executives may be unable to interpret the technical language of the threats. And if they do know and understand the threats, it may end up that those threats are no longer as relevant; there may be newer, more pressing cyber risks.
That’s why nearly every cybersecurity best practice guide or cyber risk management program beings with the same thing: context. Clear away as many of those blinds spots as possible.
Remember the Penny Test. Just because you are doing something doesn’t mean it’s the best use of resources. The real threat might still be out there, and without having complete context around your cyber risks, you may miss it.
As kids we’re taught to share our toys. It’s a hard lesson to “get.”
When it comes to cybersecurity and information sharing, many still don’t “get” it. Liability concerns, competitive disadvantages, and so on. But even if some of these concerns are legitimate, this lesson really shouldn’t be so hard.
According to the latest Verizon DBIR, while compromises are happening faster, the time to discover the compromise is taking longer than in previous years. We can combat this challenge through the use of sound threat intelligence and sharing among “friends.” Through intel you can be more prepared in advance of an attack, reducing the amount of incidents you need to respond to.
Many are trying to address this sharing problem — hence the creation of Information Sharing and Analysis Centers, aka ISACs. There are a boatload of ’em — 18 listed on Wikipedia’s page on ISACs. Each of these ISACs is specific to an industry, so in theory there is relevancy built in to the information that is shared. The intent of these ISACs is sound, and there are many good people working to make these ISACs really useful. But they have their limits as well. We all have businesses to run and support after all.
So how do we take the ISAC concept up a notch, where the intel being shared is more than relevant, but SPECIFIC to your business? Privatize the ISAC to fit your own business ecosystem. This means pulling in your partners and suppliers. You should already be sharing information with them anyway, just include cyber as part of it.
Whether you are a big, medium or small business, most likely you have partners and suppliers that are an extension of your cyber footprint. They typically have some level of access to to your network, applications and data. Having these intersecting points allows business to run more efficiently. But with these intersections comes risk. A company’s suppliers are often integral to their business — I need X and Y to fulfill Z, and X comes from a supplier. Suppliers that don’t pay enough attention to security ultimately can cause a very direct and painful impact on your business (Target is the obvious supply chain cyber example used often, but there are plenty more where that came from).
As opposed to sharing information with folks you don’t know (and let’s be honest, how much do you want to really expose to a wider audience not within your control?), your own supply chain is, for all intents and purposes, just an extension of your own enterprise. It only makes sense that your security “umbrella” should extend out a bit over them as well.
As such, sharing info, analysis and expertise within your “extended family” can be very valuable to establishing the kind of early warning system that is the promise of cyber information sharing to begin with — and without most of the risks.
Sharing threat intelligence, risk identification and other analysis with your partners helps you help yourself. Cybercriminals work together and share information all the time in Dark Web forums and even sometimes out in the open.
Sharing is caring. And the group of folks that you will get the most value out of sharing cyber threat intelligence with are the companies in your supply chain.
I am a practical guy. I don’t like to waste a lot of time and tend to gravitate to things that work, whether I originally thought up the idea or if someone else did. I’m of the “if it works then it works” mantra. Much of that attitude stems from joining the military and being thrust into a culture that demands outside-the-box-thinking. Assess the problem and work through scenarios, use past experience and lessons learned, use the right tool for the right job and lastly, be mission oriented.
When it comes to cyber threat intelligence (CTI), the key value can be unlocked by making it practical. What are the answers to the “so what” questions? Why would anyone want to spend budget on this? CISOs and like roles have a lot of headaches. How does this help that headache? How do I make this stuff useful to decision makers? Who are the decision makers? Why would they care?
The problem is the value from CTI is being misrepresented. What I’ve noticed is that there is an overwhelming drum beat towards tools — tools that will sprinkle pixie dust over your threats and make things “actionable.” But getting an avalanche of data is not the same as evaluated intelligence — and yet they get confused way too often.
Information is raw and unfiltered. Intelligence is organized and distilled. Intelligence is analyzed, evaluated and interpreted by experts. Information is pulled together from as many places as physically possible (creating an unnecessary and unrealistic workload for any analyst team to organize, distill, evaluate, etc.), and may be misleading or create lots of false positives. Intelligence is accurate, timely and relevant.
The reality is that “actionable” really just means a new alert/alarm/event that you now have to whack-a-mole. In some of the presentations I’ve given I’ve talked about the “actionable, actionating, actionator.” Sounds ridiculous right? That’s the point. But this is more common than it should be. And because of this teams are getting dragged away from productive efforts and into areas that are less productive.
This should not be surprising as many of the CTI vendors are tool builders, and no surprise, they push tools to solve the problem. However, here is where I will deviate, my background is that of a CISO, Program Manager, Team Builder. I am seeing a big disconnect between threats that are present in our industries and the practical application of resources — combination of people, process and technology — to reduce the likelihood of those threats from becoming a reality.
You see there’s a big difference between security tools and programs. Security tools (or feeds) are bolt-on and output-driven while security programs encompass people, process and technology … and they are OUTCOME-driven.
Threat intelligence should be outcome-driven vs. output driven. In my previous role as a CISO, I wanted and needed to know about threats that were specific to my organization. I needed to know what capability, opportunity and intent those threat actors had, along with a plan to ensure we were well-positioned before an event occurred (and in case we were not ready, that we had an effective plan in place as we moved from event to incident to breached).
So as you look at the many “threat intelligence” options out there, ask yourself this: will this intel drive the organization to make the right decisions and take the right actions?
Don’t try to bite off more than you can chew and start simple by focusing on evaluated intelligence. From there make your risks learnable by separating out random (or un-analyzed) risks from what is more likely so you can reduce your uncertainty — and then tie those learnable risks to the characteristics of your business.
SurfWatch Labs, Inc. 