xorl %eax, %eax

Growing your intelligence team beyond cyber

leave a comment »

During Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C. Stuart Shevlin, a colleague of mine, and myself recorded a podcast with CyberWire around this topic. Here I would like to expand a little bit more on this area. Note, all of the below are my personal views and do not represent my employer.

Several years ago most businesses with sufficient security resources started their internal CTI (Cyber Threat Intelligence) programs. Slowly but steadily this space grew and formalized more and more. A good example is the SANS CTI course which until a couple of years ago it was still in experimental phase. When I completed it in 2018 it was the first year that you could actually go through GIAC exams to get certified.

On the bright side, intelligence is nothing new. It has been around for thousands of years and because of that it was easy to adapt many of the preexisting knowledge, frameworks and methodologies to the cyber space. On top of that, many people from the IC moved to the private sector which acted as a force multiplier for the cyber threat intelligence teams.

In the beginning, CTI teams were exclusively focused on the cyber aspect. In most cases they were even embedded in the SOC, CSIRT and CERTs. But what changed is that the last few years more and more of the mature teams started providing their services outside the cyber area.

It’s a natural progression. Those of us that started behind the curtain don’t question that. We know that an attacker will not think twice about switching from a spear-phishing campaign to physically installing a rogue AP, from stealing credit cards to stealing and selling PII to a foreign nation-state, or from doing an aggressive DDoS attack to sending a fake bomb threat letter to an office.

As the threat intelligence teams mature in businesses, they become more of intelligence and less of CTI teams. Nowadays, many such teams are responsible for a wide variety of intelligence products ranging from strategic intelligence to operational and of course tactical. To give you an idea, here are a few examples of areas where I am seeing more and more intelligence teams contributing lately.

  • M&A background checks for potentially threats (reputational, security, fraud, etc.)
  • Physical security team(s) support with timely and actionable intelligence on upcoming riots, natural disasters, geopolitical crisis, location-specific threats, etc.
  • Threat landscape reports for business initiatives
  • Liaison with law enforcement and potentially other government agencies for intelligence sharing when appropriate, approved and legal (terrorism, organized crime, child abuse, etc.)
  • Uncovering links between threat actors that operate in multiple domains (not only cyber)
  • Strategic geopolitical risk analysis that could have significant business impact
  • Supporting various security teams by providing reports on TTPs of the threat actors as per context (for example, threats in a specific country for executive travelling protection support)

Although those were some very generic and overly simplified examples it paints a clearer picture of the direction that CTI teams are moving. I expect that in the next few years we will see more and more intelligence professionals transitioning from the public sector to those teams, and more of those teams will keep on expanding the scope. If we think of it in the bigger picture, every company is miniature society and being able to timely inform the decision makers of that society’s upcoming threats is a crucial component. This is where I see the intelligence teams fitting in to the bigger picture.

Written by xorl

December 30, 2019 at 09:40

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: