By Milda Petraityte, Senior Manager – Cyber Security at Reliance Cyber
Anyone who has ever served in the military, and particularly anyone who has embarked on dangerous combat missions, will know how important it is to have information about your enemy. Understanding an enemy’s capabilities, location, numbers, means to exchange information and various other pieces of intel can give you a huge amount of insight about what they plan to do next, and, notably perhaps, how they are planning to attack and where.
All this information is necessary to be able to prepare and to respond appropriately to upcoming attacks, to strike where the enemy does not expect. Not having such intelligence could result in huge ramifications for those people participating in the mission.
Working in the comfort of our offices or sat on our couch at home working remotely, we don’t tend to think about the realities of war zones since all we’re invariably dealing with is ‘just’ the Internet. So, is such an analogy simply over dramatic for someone more accustomed to receiving bulletins containing new security vulnerabilities from an outsourced SOC?
After all, leafing through the occasional bulletin you’ve subscribed to probably does enough to tick the box for including the new Threat Intelligence control into your ISO27001:2022 compliance program. Or does it?
Meeting Compliance Requirements
While receiving some information can arguably tick the compliance box, the obvious question that remains is whether ‘ticking the box’ should ever be the goal. Is it worth doing something that only really creates a false sense of security?
According to the ISO27002:2022, which is the implementation guidance for the ISO controls, threat intelligence should be relevant, insightful, contextual, and actionable. In turn, the threat intelligence activities should include establishing the objectives for threat intelligence, identifying, and selecting information sources, collecting information from those sources, processing, analysing, and communicating it.
Your SOC’s weekly bulletin cataloguing vulnerabilities could fit into the information collection activities requirement, but it does not cover any of the others listed above if no actions come out of receiving this information. It would be comparable to collecting information about various enemies just to have a feeling of accomplishment, but without knowing what to do with that information or how it benefits the mission. As such, this potentially valuable data is relegated to becoming simply ‘noise’ and provides no material intelligence.
Focusing on Meaningful Improvements
It could be said that those who focus on compliance to improve cyber security get neither compliance, nor security. Organisations should always have a clear vision about the ‘why’ and the ‘what’: why they embark on a mission and what does good look like, or at least what the target state should be when the mission ends. In other words, to be able to complete the mission successfully without painful sacrifices, they must carefully consider how the operation could be endangered and who could be interested in endangering it.
The next important step is understanding the ‘how’: how to achieve the defined target state. Many organisations start off by confusing risks with threats, or they often understand them as the same thing. However, analysing the risks, or how the mission could be endangered, and the threats, or who could be interested in endangering it, are not the same activities.
This confusion often gets in the way of making meaningful improvements in a business and the lack of consensus becomes a distraction from focusing on the right objectives. Consequently, having a clear understanding of the ‘why’, the ‘what’, the ‘how’ and the ‘who’ is the first step to getting threat intelligence right.
Proactive Cyber Security Management
Threat intelligence programmes can find success if there are clear objectives and defined questions that need to be answered and provided with accurate information against. If the information provided by threat intelligence cannot be used for any risk management decisions, it is worth raising a question as to whether it is adding anything of value or just creating noise.
Most organisations are satisfied with collecting threat intelligence from external sources, and very few focus on researching and regularly investigating their own technology environment through threat hunting. Not conducting this threat hunting could be compared to having a mole in the mission, who regularly provides intelligence about planned activities to the enemy forces and significantly endangers the mission every time, but nobody knows about it.
Organisations that do not wait for a compromise but act as if they have been breached already (or adopt the ‘assume breach’ way of thinking) and therefore can quickly identify and remove any ‘moles’, are arguably more successful in defending their estate than those that only collect information from outside sources. The externally supplied information often fails to be contextual and relevant to an organisation, while the organisation itself either does not have enough understanding of how to make this information useful or does not have enough time to conduct this analysis.
It is possible that by introducing the Threat Intelligence control, ISO27001 is inviting us to start thinking more strategically about managing cyber security. Since threat intelligence requires having clear objectives and questions that need to be answered, it also requires shifting our perception. We must move our thinking away from reactive cyber security and box ticking for compliance, and towards a proactive approach to managing security across the business. Assuming that the enemy is within our premises – and actively pursuing it to find and remove it – or prove that this assumption has not yet materialised – on a regular basis.
Threat intelligence done right can provide more accurate insights into cyber security risks and their severity, enable better-informed risk decisions, and guide subsequent improvement activities and strategic plans for the security of the business. It enables us to be in control of the mission that we have embarked on, be aware of the dangers lurking round the corner and subsequently protect our most important assets through well-informed decisions.
How we can help?
If you would like to speak with an expert about your threat intelligence, we are here to help. Get in touch to arrange a free consultation with one of our cyber security consultants today.