Insight by Carahsoft

Using cyber threat intelligence at the operational, tactical levels

Tom Topping, the senior director of strategic programs for FireEye, said agencies need to understand their risks and use cyber threat intelligence to better mitigate them.

Definition of Cyber Threat Intelligence

Really for it to become intelligence, you have to analyze the data in such as a way that it becomes useful,.

Cyber Threat Intelligence Program Implementation

If you can take cyber intelligence and use that to understand who your threat actors are and if you know who is coming after you and you know how they attack organizations, all of a sudden your problems become smaller.

The federal government recognized early that it doesn’t corner the market on cyber threat intelligence. This concept becomes even more important when you consider the growing use of connected devices and the fact that 85 percent of the nation’s critical infrastructure is run by the private sector.

The Homeland Security Department has launched several programs over the last five years to improve the collection and sharing of cyber threat data.

DHS’s Automated Indicator Sharing (AIS) program turned two years old back in October. While progress to achieve two-way sharing has been slower than the agency hoped, more than 250 commercial organizations are participating in AIS where most of the sharing is one way—from the government to industry.

Over at the Defense Department, the Joint Force Headquarters-DoD Information Networks is testing a new data analytics platform that’s meant to use automated data analytics techniques to spot the sorts of behavior adversaries have been known to engage in as they lay the groundwork for an attack.

Tom Topping, the senior director of strategic programs for FireEye, said agencies need to a better job analyzing information to make it more valuable.

“Really for it to become intelligence, you have to analyze the data in such as a way that it becomes useful,” Topping said on the Innovation in Government show. “To someone who needs to use it, it has to be timely, it has to be accurate and they’ve got to be able to use it.”

Topping said public and private sector organizations have an opportunity use the cyber threat data to improve their defenses against attacks.

“If you can take cyber intelligence and use that to understand who your threat actors are and if you know who is coming after you and you know how they attack organizations, all of a sudden your problems become smaller,” he said. “That is one of the real metrics you want cyber intelligence to do for you. You don’t want it to flood you with data and make your problem harder. You want it enable your organization to focus and then to take it from very specific indicators all the way up to being able to talk to the executives about risk.”

And it’s that risk management discussion is where the value of cyber threat intelligence increases.

Topping said as agencies implement the National Institute of Standards and Technology’s Risk Management Framework, they will have a better grasp of what their high value assets are and what hackers may be coming after, and what are the consequences of that data being stolen, changed or destroyed?

“It’s only from that can an organization decide what’s appropriate for addressing the risk,” he said. “Then you want to turn to cyber threat intelligence to look at those threat actors that are targeting that kind of information, what tools, techniques and procedures (TTPs) that they are using to breach organization, compromise that information and steal it. That’s how cyber threat intelligence can make a difference for a lot of organizations.”

Topping added that the more an organization can focus on the threats and risks, the more efficient they can be in defending their systems and data, including deploying tools and people.

“At the tactical level, if that cyber threat intelligence is deep and current, you can take those indictors and TTPs and you can plug them into your sensors and look into those parts of your systems where the bad guys are going to operate and you can give the people on the very front line the data and direction they need to go find those threat actors that are most concerning for you,” he said. “Comprehensive cyber threat intelligence can enable the people in the security operations center and the chief information security officer to approach the executive team and talk to the executive team in terms of risk around the mission. That is how the leadership thinks, what is the risk to the organization? Having that cyber threat intelligence that can span that from tactical to strategic enables the folks to have a conversation with leadership around the risks to the mission.”

Topping said agencies should start down the path of using more cyber threat intelligence by conducting an internal review to see what data they have access to and what results they are getting from the information. Then ask for help from industry or other federal partners to fill in any gaps.

About FireEye

FireEye is an intelligence-led security company. Working as a seamless and scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, military-grade threat intelligence and world-renowned Mandiant expertise.

FireEye’s focus on Government enables federal, state, local and public education entities to save time and money as they look to add holistic, cloud-based security to meet the challenges of delivering on advanced threat protection. With recent achievement of FedRAMP authorization for its cloud-based Email Threat Prevention (ETP) solution, FireEye continues its pursuit in supporting key Government missions around the world.

FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent and respond to cyber attacks. FireEye has over 5,800 customers across 67 countries, including more than 40 percent of the Forbes Global 2000.

 

Resource Center

Top 5 Ways to go Beyond Prevention

Endpoints are popular targets of advanced threats such as ransomware attacks. The best solutions detect, investigate and respond to alerts quickly.

This short video series covers 5 important capabilities to look for as you consider a more comprehensive endpoint solution:

  1. Intelligence-led endpoint security
  2. Multiple detection & prevention engines
  3. Integrated workflow
  4. Automated detection and prevention
  5. Single, consolidated agent