Considerations for developing a cyber threat intelligence team
The use of a cyber threat intelligence team can greatly help organizations. Learn the best practices for team location and selection from expert Robert M. Lee.
Malware is an adversary's tool, yet the real threat is the human one. Cyber threat intelligence focuses on countering flexible and persistent human threats with empowered and trained human defenders.
During a targeted attack, organizations need a top-notch and cutting-edge threat-hunting or incident response team. This team must be armed with the threat intelligence necessary to understand how adversaries operate and how to counter the threat.
For organizations looking to start threat intelligence teams, there are several factors to consider, such as a proper collection management framework, intelligence requirements to satisfy and data to support the intelligence process. Another critical factor is the team you choose; who to include on the team and where the team should reside within an organization are considerations that require careful deliberation.
Team location
Where you place an intelligence team -- physically and departmentally -- within your organization can bias how the team looks at data. Placement can also influence how the team views the entire organization which, in turn, can impact the kind of output team members provide.
Cyber threat intelligence teams are typically placed in the security operations center (SOC) or within the incident response team. While either of these locations is fine, it is important to have a clear understanding of the threat intelligence requirements that help maintain security throughout your organization. It is during this process of understanding the requirements that you will quickly realize where your intelligence team should reside.
An example of poor placement would be placing the team with the vulnerability management group. This is due to the fact that vulnerabilities should not be viewed as threats, but simply as components of what threat actors may leverage. If the intelligence teams are placed in the vulnerability management group, then their field of view may become biased toward satisfying requirements related to vulnerabilities only. There is great value, however, when these teams share information, since this offers the teams a more holistic view.
Threat intelligence teams should be the central point for everything related to adversaries and intrusions. Therefore, the optimal location for threat intelligence teams is in the center of different security teams -- no matter where those teams reside physically or organizationally.
Furthermore, because threat intelligence is based on intrusion analysis, you need to be able to get first-hand analysis of threats. If there are any barriers between the SOC team, the firewall team or whoever is sharing data with the intelligence team, then these barriers must be torn down. One should view the threat intelligence team as the central orchestration point in the security organization and enable various teams to levy intelligence requirements to be prioritized and satisfied by the team.
Team member selection
Deciding who to hire for your threat intelligence team can be a confusing endeavor. Should you hire malware analysts? Forensic experts? SOC practitioners? Ideally, you want a mix of skill sets, as each will bring a unique perspective to the team.
You should also look for diversity, not only in skill sets, but in backgrounds, with different ethnicities, a balance across gender, and backgrounds from different cultures and world views. This type of diversity can help fight bias and group think, both of which can critically hurt the intelligence process if left unchecked.
Since threat intelligence is a highly exploratory process, you want team members who are inquisitive by nature and who have strong analysis skills. Threat intelligence analysts do not have to be technical experts, but they do have to be experts on what data is going into their intelligence process, and they must be able to interrogate it and its sources.
In short, an individual does not have to be a malware analyst, but if they cannot speak the language or understand what data is and is not valuable, then you will have trouble. In the past, validating candidates' analysis skills was a challenge due to a lack of recognized or concerted credentialing.
While there are a variety of certifications for technical training, until recently, the industry lacked threat intelligence analysis courses and certifications; fortunately, however, things are changing.
Consider the recent launch of the GIAC Cyber Threat Intelligence (GCTI) certification. This type of certification is an important step for the intelligence field because, for the first time, the art of cyber threat intelligence is moving to codify knowledge in a repeatable manner. In this complex and ever-changing threat landscape, it is important for all analysts to earn applicable certifications, whether or not they are directly involved in generating intelligence. The GCTI certification is a good baseline component when considering candidates, as it demonstrates that the candidate understands intelligence analysis and can perform intrusion analysis across complex scenarios.
The candidates you select for your team should satisfy intelligence requirements that reach across tactical, operational and strategic-level positions throughout your organization; this goal requires a team of experts with a variety of backgrounds. It's vital that organizations employ security people who think critically and evaluate various options when faced with complex scenarios. When this is achieved, organizations' personnel will be prepared to defend against human threats by employing pragmatic and proven threat intelligence.
About the author:
Robert M. Lee is a SANS-certified instructor and the CEO and founder of Dragos Inc. He teaches SANS' ICS515: ICS Active Defense and Incident Response course, the industry's first and only incident response and threat-hunting class for ICS, and FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training.