Cyber threat intelligence is an essential element for any business, but organizations often don’t know how to use and process this information. Militaries use threat intelligence to predict and prevent problems, and the same principles can be used to protect your customers.
Leveraging threat intelligence means being strategic, operational and tactical, according to Vince Crisler, now the chief strategy officer at Celerium and member of the CompTIA ISAO Council, who spent many years working in federal and military agencies before starting his own company.
“Threat intelligence isn’t just about bad guys attacking you, it’s about finding all the vulnerabilities in your system,” said Crisler, during a breakout session at CompTIA ChannelCon 2022 called Making Cyber Threat Intelligence Part of Your Organization’s Muscle Memory. Crisler outlined several phases that can help you make threat intelligence a part of your organization’s muscle memory. Here’s a closer look at each:
First, get good data on current breaches, the financial impact and the trends and activities of bad actors.
“This stuff is important for you to understand to be knowledgeable in the field as well. It's also good advertising and marketing for your big, high-level stuff. This is what can help get your customer to understand what's going on,” said Crisler.
Use data from trusted places like:
The second phase is using that data. Take a look at your tactics, techniques and procedures.
“The operational level is around running your day-to-day business,” Crisler said. “This is how you're planning, how you're thinking about risks and also the intelligence you collected.”
Identify potential targets and analyze how your business operates. Who are the potential targets in your system? Classify the technologies you’re using. “If a vulnerability comes out against it, I want to know,” said Crisler. “That’s threat intelligence.”
Operational also means cooperation, with open threat intelligence communities and research groups sharing information about current threats.
Crisler calls the tactical phase the hardest part of cyber threat intelligence because it involves finding your own vulnerabilities. Think like a hacker and try to break into your own system. Reverse engineer malware, look at logs and spend time analyzing malicious code and forensics data.
“Part of this is figuring out how they could get in,” Crisler said. Once you’re in, download an exposed server, download the code and see how you could spread laterally across your surface.
The point of the tactical phase is to act before you have to react. Then you can use the weaknesses you find to protect your customers. “Are there ports open on firewalls for customers that you don’t know are open?” said Crisler. “The recon can tell you how exposed you might be.”
You can even use tools to see if people are planning on targeting your customers. “You can see how people are doing recon against your organization,” Crisler said. “Are you getting scanned more than last week?”
Act Before You Have to React
Treating your system like an end-to-end process instead of piecemeal portions will help prevent embarrassing mistakes. Patch those vulnerabilities. Set alerts for when the system encounters activity from an outside user.
Using cyber threat intelligence will also help you respond calmly to potential threats without freezing and overthinking. Practice is an important part of getting a response plan into your muscle memory.
“Muscle memory is the ability to do something without thinking about it,” Crisler said. “It’s like juggling. If you think about juggling, you mess it up. Once you get really good at it, it’s amazing what you can do once you get that muscle memory in place.”
Want More Cybersecurity Information?
Check out CompTIA's 2022 State of Cybersecurity research report now.