Advanced Cyber Threat Intelligence: A First Principles Approach to Risk Mitigation

Bruce Matthews
Associate Director, Federal Services

As the field of cyber threat intelligence (CTI) evolves and coalesces around standard practices, invoking the threat intelligence cycle and attack frameworks/models, it is useful to think outside of the proverbial box to leverage foundational security principles to help protect your department, agency, and/or organization and those it serves. In this post, I provide an overview of the concept and will dig a little deeper in my next article, to be published later this month.

Although a relatively new field, cyber threat intelligence products and resources have grown explosively over the last few years, shaping the workflows and operating practices for analysts. Analysts receive intelligence feeds describing the tactics, techniques, and procedures (TTPs) of adversaries, along with malware analyses and known indicators of compromise (IOCs).  This information is provided to cyber hunt professionals, after which Security Operation Center (SOC) teams focus on detection and blocking efforts. In essence, learn what the bad guys are doing, discern detectable artifacts, and employ tools to discover the artifacts and block or prevent them. 

This method relies heavily on detecting hostile activity, whether attribution is made or not. To discern an adversary’s TTPs, someone – not necessarily in your own cyber ecosystem – needs to be tracking them and making the information available. When starting with published TTPs, there is an inherent measure of separation between known adversary activity and specific organizational risk with respect to cyber security goals. In other words, we need to answer the question: “So what?” or “Why do we care and how does the threat intelligence relate to our operations?”

Binding intelligence more tightly with organizational risk is often accomplished by associating them with an organization’s technology stack or the sectors known to be targeted by various hostile actors. Indeed, discerning likely targets and relevancy of published TTPs comprises a large portion of a CTI analyst’s efforts in mature cyber security operations. Sophisticated cyber threat tools apply AI to automatically compare adversary TTPs against an organization’s technology stack to trim down the non-relevant reporting.

However, what about the unknown attacker, or one for which we have few TTPs, if any, to go by? Here we can employ traditional security approaches to strengthen the linkage to specific organizational risk and cyber security goals by working in reverse. Instead of starting with the intelligence and relating it to the corporate tech stack, we start with the undesired events that would disrupt the vital business processes and relate it to how a bad guy could create or facilitate those events within the tech stack. In the first method, we go TTP/IOCs to tech stack (without regard to business processes).  Employing this security approach, we now review busines process targets against the tech stack to determine the TTPs required and likely IOCs.

Applying this strategy takes some additional effort, perhaps nudging the CTI analysts out of their normal comfort zone as they research more deeply into organizational business processes and priorities, but the rewards can be worth it. This approach establishes direct linkage to corporate/organizational risk, a rich knowledge of stakeholder needs, illuminates unknown third-party relationships, and provides better insight for leveraging geopolitical threat reporting (an emerging trend in CTI products). It may turn out that your normal CTI reporting is spot on, but now it is validated both forwards (starting with actor activity threat) and backwards (starting with business process targets). 

The personal relationships you cultivate when researching business processes will also incubate cyber security proponents. Your stakeholders will view you as having their best interest at heart, and thus improve your credibility and reputation, which in turn leads to greater cooperation and trust in threat/incident information sharing. A win-win-win.

Stay tuned for my next blog, where we discuss this approach in more detail.

About the Author

Bruce Matthews Headshot

Bruce Matthews is an Associate Director in Attain’s Federal Services division, a digital solutions firm headquartered in McLean, Virginia. Bruce is an expert in cyber threat intelligence, security technology, information assurance, policy, training, senior management, and inter-agency liaisons. His work at Attain includes supporting DoD and Federal clients in cyber threat intelligence, developing the Attain IoT Security Framework, countermeasures development, program management, and risk management.  Before joining Attain, he was with the National Counterintelligence and Security Center (NCSC) where he directed R&D activities examining technical surveillance countermeasures technologies and provided IC guidance for wireless and overseas security policy formulation. During his career at State, Mr. Matthews served in numerous security engineering assignments protecting US embassies around the world against top tier intelligence and terrorist actors. Leadership positions included Managing Director and Acting Deputy Secretary of State for Office of Foreign Missions. He also served as a US exchange officer to the UK Foreign and Commonwealth Office as a Senior Inspector, conducting cyber and countermeasures activities.

About Attain’s Cybersecurity Practice:

Attain is a leading management, technology, and strategy consulting firm comprised of innovative problem solvers. Leveraging our cyber security and business transformation expertise, Attain is perfectly positioned to assist enterprises in advancing their cyber threat intelligence processes to the next level. Our DHS Center of Excellence-level security and network engineers, security analysts, and incident responders leverage the latest technologies and methodologies to safeguard information assets so agencies can focus on the mission at hand. Attain’s Strategy and Management consulting services help clients navigate the ever-changing demands of technology innovation, enabling them to gain a competitive or strategic advantage by doing things differently.

By Bruce Matthews, Associate Director, Federal Services