The Need for Industry Accepted Cyber Intelligence Standards
Today if you spend any time working in the Cyber Security industry you will inevitably hear the term “threat intelligence” tossed around like candy. Most people have a general understanding of what threat intelligence means but in case you forgot, or are not aware of the definition — Generally speaking (depending on who you are talking to), the accepted industry definition of Threat Intelligence is:
Then Gartner charges $195 to read the rest of their paper…
Unfortunately, good old fashioned commercialism has completely saturated the term “threat intelligence” and up until pretty recently, has viciously marketed it as something along the lines of selling an indicator of compromise (IOC) feed.
Let’s be real, if we stick with Gartner’s definition above, companies that follow this model are really selling “threat information,” not threat intelligence. Further, many of these same companies work to turn a profit by teaching organizations how to “do” threat intelligence and yet, for those organizations who can afford to pay these firms to come in and help, they still struggle to meet their goals. Thankfully, many of us know today that the answer to all of our security woes is not a multi-thousand dollar per year indicator sharing feed.
Acquiring the indicator sharing feed is where many organizations tend to stop when it comes to implementing threat intelligence. This is mainly because businesses are not sure how to implement or apply a threat intelligence program that creates value for their organization resulting in existing threat intelligence analysts become “indicator sharing” analysts instead of highly skilled cyber intelligence analysts. Organizations begin focusing on how many IOCs the “threat intelligence team” input into a glorified indicator sharing platform (also known as a threat intelligence platform), or how they can assist the security operations center in building context around individual events and maybe even an incident here and there. Granted, while this stuff is precious to any organization, this is not all that threat intelligence is. A moment of clarity — Yes, we need our indicators of compromise (IOCs) sharing feeds — Today we live and work in such a fast-paced environment that we need the newest IOCs to put on our endpoints as soon as they are discovered; IOCs are typically useless after a short period. And, many organizations are willing to pay top dollar to ensure they have the most timely “threat information” as they can get their hands on. There is nothing wrong with this — keep doing it.
However, Threat Intelligence is more than ensuring endpoints have the most up to date IOCs — thankfully today, most people can agree with this. Despite the agreement, I have seen multiple organizations in the private sector as well as government, in both large and small teams, still struggle with how to break out of the tactical mindset and start working on developing operational and strategic level intelligence, as well as tending to the tactical.
The Center for Cyber Intelligence (CCI) was established to provide a solution to this issue. CCI serves to develop and improve cyber intelligence standards to mobilize and encourage the cybersecurity community to apply a threat intelligence capability. Further, we exist to motivate the cyber intelligence community to share knowledge, experience, and expertise to identify and validate cyber intelligence best practices.
Probably most important, CCI is unique in that it was created by and for the cybersecurity community and operates as a volunteer-based organization. We do not seek any profit in this venture, we only seek to establish threat intelligence standards.
The Cyber Intelligence Framework
By The Center for Cyber Intelligence
I’ve been working in the intelligence field for about 12 years now, and if I’ve learned anything, it’s that intelligence as a practice works when we follow a good process. Cyber Intelligence, in practice, is no different than military intelligence. The only difference is the landscape in which you fight. The United States Department of Defense is really good at “doing” intelligence for one fundamental reason — They have standards, policies, and methodologies that are used across all branches of the Department. Further, when working outside of the organization, the U.S. Government recognizes the same processes and methods to conduct intelligence operations. Regardless of the fight, air, sea, or land, the same techniques are used to ensure the quick and timely delivery of critical information to the right people at the right time.
So why do we struggle to do this in the cyber intelligence world?
A quick Google search turns up countless white papers, articles (this one soon to be amongst the search results), and blog posts on how organizations can implement a threat intelligence capability. In large part, none of these recommendations are wrong, or inaccurate. So why haven’t we yet done it? Why does the average organization struggle to operationalize a threat intelligence capability past the tactical intelligence level? I’ve read numerous papers and books on this topic, and one would think that with this wealth of information and knowledge the cyber intelligence industry would be more mature, but I continue to find this isn’t the case.
In the cyber intelligence world I’ve found there are, in general, two types of people:
People with a sharp intelligence background but a weaker IT/cybersecurity background
People with a strong IT/security background but a weaker intelligence background
To be clear, neither of these types of people is a poor fit for a Cyber Intelligence role. However, because of these inherent shortcomings, we are left with threat intelligence programs that are often very tactically focused. Intelligence analysts straight out of the military or government are commonly used to very tactical operations, the “boots on ground” fight if you will. And, your IT personnel are usually really good at security but aren’t quite sure what you mean when you say that his/her analysis suffers from inherent bias let alone what “structured analytical techniques” mean.
To alleviate these and other industry shortcomings, CCI is putting together the Cyber Intelligence framework to serve as a guide for both private sector and government organizations both large and small, enabling them to establish a threat intelligence program that provides value at the tactical, operational, and strategic levels. While there are numerous frameworks in place today that assist with varying degrees of cybersecurity, there is no open source framework defining how to “do” threat intelligence. CCI’s Cyber Intelligence Framework fills this gap by pulling together industry expertise and existing cybersecurity frameworks to establish a community-accepted standard.
CCI’s Threat Intelligence Framework is a collection of industry knowledge that is intended to provide organizations of any size with a guide to establishing a functioning Cyber Threat Intelligence capability within a traditional “Cyber Security Stack.” The Threat Intelligence Framework provides organizations with a baseline defining how to structure and build a Threat Intelligence program that is capable of informing decision-makers and critical stakeholders of current and potential future cyber threats to their organization at tactical, operational, and strategic levels.
Today, the CCI Cyber Intelligence Framework is intended to be a starting point for the cyber intelligence community to come together and establish a commonly understood model of how we should be doing business. The Cyber Intelligence Framework will encompass everything from business requirements down to what kinds of reports should be produced by a threat intelligence program ensuring the cyber intelligence community has a “one-stop shop” detailing how to build and implement a capable Cyber Threat Intelligence function.