SANS Digital Forensics and Incident Response Blog

Your Cyber Threat Intelligence Questions Answered


350x200_CTI-SummitAs we prepare for the sixth year of the SANS Cyber Threat Intelligence (CTI) Summit, advisory board members Rebekah Brown, Rick Holland, and Scott Roberts discuss some of the most frequently asked questions about threat intelligence. This blog will give you a bit of a preview of what you can expect during the CTI Summit on January 29th and 30th.

How Can New Analysts Get Started in CTI?

Scott Roberts: There are many paths to get into CTI that draw on a lot of different interests and backgrounds. The two major paths start with either computer network defense or intelligence. As a network defender, you start with a solid background in developing defenses and detections, determining what adversary attacks look like, and using basic tools. On the other side, starting from an intelligence analysis background, you start with an analytical framework and method for effectively analyzing data, along with an understanding of bias and analysis traps. In either case, you want to build your understanding of the other side.

This happened to me when I came into CTI. I had a background as a Security Operations Center analyst and in incident response, but I had minimal understanding of analytical methods, bias, or strategic thinking. What helped me was meeting my friend Danny Pickens. Danny came from the opposite background as a U.S. Marine Intelligence analyst. The result was that we traded our experiences: he taught me about intelligence and I taught him about network defense. We ultimately both ended up more complete analysts as a result.

What Is the Best Size for a Threat Intelligence Team?

Rebekah Brown: The best size for a threat intelligence team depends greatly on what exactly it is that the team will be doing. So before you ask for (or start filling) headcount, make sure you know the roles and responsibilities of the analysts. Rather than starting with a number — for example, saying "I need three people to do this work" — start by looking at the focus areas the responsibilities require. Do you plan on supporting high-level dissemination, such as briefing leadership, and on providing tactical support to incident responders? You may need two different people for those roles. Do strategic-level briefs occur once a week but require a lot of preparation? That may be a job for one person. Is incident response support ongoing, and is your incident response team going to be working 60 hours a week on several engagements? You may need more than one person for that role. Understanding the responsibilities and requirements will help you build the right size team with the right skills.

Why Should My CTI Team Need Developers and How Can They Be Used?

Scott Roberts: In many ways, the start of CTI is a data-wrangling problem. When you look at the original U.S. intelligence cycle, the second and third steps (collection and processing) are data-centric steps that can be highly automated. The best CTI teams use automation to handle the grunt work so analysts can focus on the analytical work that's much more difficult to automate. No team has enough people, and developers can act as force multipliers by making data collection and processing programmatic, automatic, and continuous, ultimately letting computers do things computers are good at and letting human analysts focus on the things humans are good at. Learning some Python or JavaScript lets a single analyst accomplish far more than he or she could do by hand.

How and Where Do I Get the Internal Data I Need to Do Analysis?

Rebekah Brown: Internal data for analysis comes in all shapes and sizes. Many people automatically think of things like firewall logs and packet captures, and those are definitely critical pieces of information. However, that isn't all there is to analyze. If we are trying to understand the threats facing our organizations, we should look to past incidents (i.e., log data), but we should also look forward. What is the business planning? Are we entering new markets? Are we making any announcements or affiliations that could change the way we look at adversaries? What are the critical systems or data that would cause significant operational impact if they were targeted? All of this information should be included in the analysis of the threats facing you. As far as how you obtain that information, well, you have to ask, although this often means figuring out the right people to ask and establishing relationships with them, and THEN asking. It takes time, but the investment in those relationships within your organization will ensure that you have the right information when you need it. Information-sharing isn't just something we need to work on with external partners, it is something we need to foster internally as well.

What Is the Best Way to Communicate the Value of Threat Intelligence Up the Chain of Command?

Rick Holland: We struggle to implement effective operational metrics, so it isn't surprising that I often get asked how to communicate the value of threat intelligence to leadership. This is extremely important if your team has been the beneficiary of a budget increase, as you will have to show the benefits of that investment and the trust afforded your team. You should start off by understanding how your organization makes money (or how it accomplishes its mission). I know that sounds like a Captain Obvious statement, but so many defenders don't truly understand the people, processes, assets, infrastructure, and, most importantly, the business metrics that their company cares about. Are you in retail or financial services? How can you tie threat intelligence back to fraud? Are you in e-commerce? How can you tie threat intelligence back to website availability? You've probably heard me suggest you check out your company's past annual reports and Form 10-Ks. They will provide helpful context for better understanding what matters to your business.

Join us at the Cyber Threat Intelligence Summit!

Rick Holland: This is the sixth year of the CTI Summit, and those of us on the advisory board are singularly focused on curating content that attendees can take back to their jobs right after the event and immediately implement into their programs. The content will be great, but if you have attended in the past, you know that the relationships developed during breaks, meals, and in the evenings will be the gifts that keep on giving. We all have challenges in our jobs, and establishing a network of peers who we can call on to collaborate is essential. We will have events and activities set up to help you build out those networks.