Our previous posts established the groundwork for understanding how cyber risk intelligence allows organizations to answer the question “When will my organization be the victim of a significant cyber incident?”
When we last left off, we agreed to discuss four ways cyber risk intelligence analysts could match external or “threat” developments with internal systems the analyst desires to protect:
- Technical Data
- Tools, Techniques, and Procedures (TTPs)
- Assessment and Estimation (A&E)
- Vulnerability Discovery and Disclosure Data
To give you an idea of how each of these contributes to our objective of anticipating cyber incidents, I have labeled first three of them on the X axis of the Boom Chart.
You notice that Technical data is primarily reactive. It is generally gleaned from incident investigation.
TTPs are also learned from previous attacks, but carry forward due to the insight they provide about how an adversary operates.
Assessment & Estimation is forward looking based on a broad variety of factors that extend beyond bits and bytes level analysis.
The following image of the mind map (discussed previously) is color coded to indicate which elements fall under each category.
While this mind map is somewhat notional rather than complete and detailed: brown represents technical data, yellow represents TTPs, and beige represents estimation and assessment.
The cyber risk intelligence analyst can use several techniques to place events and impacts accurately on the boom chart.
He must start with a foundational understanding of cyber event elements, many of which display in the following mind map:
An intelligence analyst learns all he can about these items. He is fascinated by context, and terrified by ignorance. He explores relationships and advances hypothesis. He builds on his knowledge and previous estimations. A good analyst knows and readily applies a broad number of analytical techniques, asking question after question — carefully documenting his results — building histories and frameworks.
When trying to anticipate the future, the cyber risk analyst applies all his efforts to match what he knows about the external environment with what he knows about the internal environment he must protect.
We can divide intelligence product types useful in this “matching” effort into four broad categories:
- Technical Data
- Adversary TTPs
- Assessment and Estimation
- Vulnerability Discovery and Disclosure
In the following posts we will look at each of these in greater detail.
When we left off, you were just beginning to wonder “When will my organization be the victim of a significant cyber incident?”
And I told you I would show you how cyber risk intelligence could help us get there. So here goes.
It is the job of the cyber risk intelligence analyst to place all cyber events affecting the organization he serves on the Boom Chart:
The Boom Chart is a conceptual tool the analysts uses to estimate when things go “boom”, and how big the boom will be. The Y axis displays “Impact”, the X axis displays “Time”.
T sub not (t0), shown on the X axis, represents the present. The cyber intelligence analyst deals always in the notion of time. He must cover both events that have already affected the organization (shown to the left of t0), and events that may affect the organization in the future (shown to the right of t0).
Intelligence analysts often do not learn about events that have impacted their organization until after the event has occurred. The “dwell time” statistic made famous by Mandiant’s annual “M-Trends” reports illustrates this concept nicely (see Mandiant metrics white paper for more detailed discussion about dwell time and its components). We all kind of naturally find ourselves wanting to “get that dwell time down”.
Indeed, a cyber intelligence analyst provides the most value to his organization when leadership trusts him to deliver an accurate appraisal of events that will occur in the future — eliminating dwell time all together. While important caveats exist, logic dictates that event impacts can be mitigated or diminished less-expensively and more-effectively before the event occurs than they can afterwards.
Next time, we will discuss some specific ways an analyst goes about this important task.
Now, based on my experience working in the commercial cyber threat intelligence space for many years, I bet you didn’t really go through the effort of identifying the question like I asked you to in my last post.
So, I will repeat the question, then read your mind.
The question: What question if you knew the answer to it, would most significantly improve your security operations?
Think hard… I will wait…
Now for the mind reading: It’s probably something like:
When will my organization be the victim of a significant cyber incident?
So, you thought it. You know you did. But there was a bit of cognitive dissonance because when it crossed your mind, you also thought “I can’t ask that. No one can know the future.”
But that is where the deep magic of intelligence really begins.
After two-and-a-half years, I’ve decided to publicly take up the pen again on professional topics. Mostly its for me to record my thoughts — but of course that means you are free to think along!
What is Intelligence?
Intelligence is super simple — so simple, in fact it can be easily misunderstood. It is the ability to intentionally acquire knowledge. For example, cyber threat intelligence would be the ability to acquire knowledge (AKA learn) about cyber threats.
What is the mysterious intelligence cycle?
It’s a model for how people tasked with acquiring knowledge go about their jobs. It’s not all that different from models like the software development lifecycle: You start out with requirements, figure out a way to meet the requirements, give it a try, show the customer, ask them what they think, and do it again.
How do I choose a cyber threat intelligence provider?
Well, let’s not worry about choosing providers until we know exactly what knowledge you want to have. Try answering this as a starting point: What question if you knew the answer to it, would most significantly improve your security operations?
Once you can identify that question, you are starting to operate your own intelligence cycle. It’s exciting! You are doing intelligence!