Skip to main content
Advanced cyber threat intelligence: A first principles approach to risk mitigation

As the field of cyber threat intelligence (CTI) evolves and coalesces around standard practices, invoking the threat intelligence cycle and attack frameworks/models, it is useful to think outside of the proverbial box to leverage foundational security principles to help protect your department, agency, and/or organization and those it serves. In this post, I provide an overview of the concept and will dig a little deeper in my next article, to be published later this month.

Although a relatively new field, cyber threat intelligence products, and resources have grown explosively over the last few years, shaping the workflows and operating practices for analysts. Analysts receive intelligence feeds describing the tactics, techniques, and procedures (TTPs) of adversaries, along with malware analyses and known indicators of compromise (IOCs).  This information is provided to cyber hunt professionals, after which Security Operation Center (SOC) teams focus on detection and blocking efforts. In essence, learn what the bad guys are doing, discern detectable artifacts, and employ tools to discover the artifacts and block or prevent them.

This method relies heavily on detecting hostile activity, whether attribution is made or not. To discern an adversary’s TTPs, someone ─ not necessarily in your own cyber ecosystem ─ needs to be tracking them and making the information available. When starting with published TTPs, there is an inherent measure of separation between known adversary activity and specific organizational risk with respect to cybersecurity goals. In other words, we need to answer the question: “So what?” or “Why do we care, and how does the threat intelligence relate to our operations?”

Binding intelligence more tightly with organizational risk is often accomplished by associating them with an organization’s technology stack or the sectors known to be targeted by various hostile actors. Indeed, discerning likely targets and relevancy of published TTPs comprises a large portion of a CTI analyst’s efforts in mature cyber security operations. Sophisticated cyber threat tools apply AI to automatically compare adversary TTPs against an organization’s technology stack to trim down the non-relevant reporting.

However, what about the unknown attacker, or one for which we have few TTPs, if any, to go by? Here we can employ traditional security approaches to strengthen the linkage to specific organizational risk and cybersecurity goals by working in reverse. Instead of starting with the intelligence and relating it to the corporate tech stack, we start with the undesired events that would disrupt the vital business processes and relate it to how a bad guy could create or facilitate those events within the tech stack. In the first method, we go TTP/IOCs to tech stack (without regard to business processes).  Employing this security approach, we now review business process targets against the tech stack to determine the TTPs required and likely IOCs.

Applying this strategy takes some additional effort, perhaps nudging the CTI analysts out of their normal comfort zone as they research more deeply into organizational business processes and priorities, but the rewards can be worth it. This approach establishes direct linkage to corporate/organizational risk, a rich knowledge of stakeholder needs, illuminates unknown third-party relationships and provides better insight for leveraging geopolitical threat reporting (an emerging trend in CTI products). It may turn out that your normal CTI reporting is spot on, but now it is validated both forwards (starting with actor activity threat) and backwards (starting with business process targets).

The personal relationships you cultivate when researching business processes will also incubate cybersecurity proponents. Your stakeholders will view you as having their best interest at heart and thus improve your credibility and reputation, which in turn leads to greater cooperation and trust in threat/incident information sharing—a win-win-win.

Stay tuned for my next blog, where we discuss this approach in more detail.