SANS Digital Forensics and Incident Response Blog

Three Steps to Communicate Threat Intelligence to Executives.

As the community of security professionals matures there is a merging of the intel community, the incident response professionals, and security operations. One struggle folks have is how to make the threat intelligence actionable for the business. You have the large data from Recorded Future, yet, how do you apply the data in a practical way and communicate to the business?

The answer is keep it short and to the point and in the risk language, they use. Bring solutions, not problems to the table. An executives greatest challenge is time. They want smart people who can make the day to day decisions to protect the company from attacks, in order for them to address large strategic topics.

In addition, the business media channels are talking about the security problems. Just browse to The Wall Street Journal and see the latest cyber security news posts. That is good for our profession, so we need to be proactive. How do we be proactive? There are four steps that need to be done.

The first is know what is a business differentiator for the company. Ask the executives what makes this organization competitive. Why is it different? Ask how might that difference be vulnerable to cyber-attack?

The second step is to do the analysis. Be proactive, being situationally aware, Recorded Future can provide access to that data. Not only knowing the threats, but how they apply to the organization. What part of the kill chain does the attack occur? Does it already map to an attacker campaign?

I'll give a fictitious example. You are an analyst at a power company. Reading the latest blogs on exploits and attacks you see a media release of a new type of malware attacking the power grid. You know from business discussions that power production is critical for the business. Is the threat, "the new malware" a risk to the organization?

Using Recorded Future, search for the first time the malware was mentioned in the score card. In the case below of the Furtim malware, Recorded Future data shows blogs from a few years ago and a Virus Total post too. So much for the vendor hype that this is a new threat.

Ask yourself, does the organization have mitigations and controls in place to stop the threat, in this case at this point in time, the organizations anti-virus does detect the malware. Are there any other controls in place? Are there mitigations in place? Maybe there is an IPS signature in place. If not, then run the attack in a test environment, build blue team solutions. Begin tracking the attack indicators and possible campaign by mapping the attack to the kill chain for the organization.

The third step is to communicate. Executives understand risk, so explaining the threat in terms of risk is effective and if there is not a control in place find one and communicate when it will be implemented. Below is a canned example:

Dear All,

I'd like to make you aware of an item, in case you are asked about it. It involves a business concern, the power grid. It appears there are a couple articles on the internet about a malware sample called Furtim, getting more media attention.

One of the articles becoming popular is found here: https://sentinelone.com/blogs/sfg-furtims-parent/

The article makes a few points to gain media attention.

Such as:

  • "sophisticated malware campaign specifically targeting at least one European energy company"
  • "potentially shut down an energy grid "
  • "The sample appears to be targeting facilities that not only have software security in place, but physical security as well "

So I took a look to see if we are protected or if there are gaps in the organization. What the authors forget to mention is that for the infect to work, other gaps are needed. For example, the sophisticated malware, in the article is a "final payload" and needs to use another common malware to infect a computer before it can be harmful. After researching the Furtim malware and with the virus total results found here

https://www.virustotal.com/en/file/766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963/analysis/ the information shows Anti-virus detects the common malware as part of the infection chain. Granted the malware can be re-coded but based on the current information I have today, this is a low risk to the organizations environment. I'll continue to monitor logs for specific connections out from our network that are related to command and control.

If you have questions, please feel free to contact me.

In General, follow the three steps to apply threat intelligence. One, know the organization you are defending, what drives it? Two, be technically proactive, do the research, analyze the attack data and map it to the kill chain. Three, communicate risk and solutions. For more information about practical threat intelligence see Rob M. Lee's blog and enroll in the SANS Threat Intelligence class.