In the face of a cyber-attack, any insight can mean the difference between business as usual or a damaging breach. However, as in any battle, this advantage is too often be lost through poor communication.
While there’s no doubt actionable insight provided by cyber threat intelligence (CTI) is a huge benefit, the cybersecurity community sometimes struggles to fully realize it. One of the reasons is down to how both sets of professionals approach the same problem with different priorities.
Security professionals care about what is attacking the network and what they can do to defend against it. In contrast, intelligence professionals (or CTI analysts) are focused on why the network is being targeted and what this means. Of course, the best operators can support both missions, but it is a rare breed that can effectively deliver on both tracks to a sufficient level of focus.
Where both professions overlap is in their need to understand how an attack is being conducted. This is where the discipline of tactics, techniques and procedures (TTPs) comes into play.
Effective communication between security professionals and CTI analysts is largely about threat intelligence sharing. This allows them to draw valuable conclusions from multiple strands of seemingly unrelated data points as part of their efforts to defend the network.
However, there are several problems.
Firstly, the two functions are often in direct opposition. If an attack is unable to gain a foothold in the network because it is secure, the security professionals have succeeded. If the attack is foiled before it has any impact, little can be gleaned about the motivations or capabilities of the adversary – meaning no new intelligence is obtained.
Another issue is around interpretation and bias. Whether you are attempting to communicate the severity of a threat, the importance of some minute detail or the irrelevance of a misleading data source, your ideas can be open to interpretation. In addition, the process of ensuring ideas are understood takes time and effort.
Put simply, analysts and security experts exchange ideas using ineffective means. But there is an answer: A protocol to create a common framework for idea sharing.
A Common Language
The idea of a protocol is to agree that certain types of information can, and should, be objective in nature and need to be communicated at speed.
This provides the ability to quickly understand context without reading all the supporting information. This saves time and resources, minimizes ambiguity and reduces human error.
One could argue that an open standard language like STIX, which is designed to represent structured threat information, would take care of all of the above. IT does and it doesn’t: STIX is the heart and soul of structured CTI, but we still need to get more nuanced to avoid misinterpretations and therefore get the protocol in place after all.
The protocol needs to be defined, with a watch list of important indicators agreed by security professionals and CTI analysts. Going beyond indicators, TTPs provide a shared understanding of how to categorize data. This helps to automate how context behind activity is derived. Knowing what the data means allows security professionals to use it in the correct context – greatly reducing false positives as a result.
There is a drawback to using TTPs. This arises when a particular meaning cannot be expressed in two dimensions – something that is particularly relevant in cybersecurity, where data can quickly become complex.
This creates a need to model the data in more complex and multi-dimensional patterns. By recording the data in a structured form, we are spelling out the facts of the intelligence in a form that can be queried.
Effectively, if the security professional is able to query the data for what they need, then the intelligence analyst’s job is simply to record the facts in the most explicit and objectively true form possible.
As CTI matures, the power of TTPs to provide context becomes more apparent. But it is only when built on a solid foundation of structured intelligence that CTI can move beyond basic conversations and on to truly innovative intelligence security data sharing.
The knowledge held by intelligence analysts becomes a shared corporate understanding as a protocol is developed. The importance of reporting and communication techniques that can scale to become more readily actionable, will only increase as the huge promise of artificial intelligence and machine learning comes to fruition. Moving from indicators to TTPs will be a key element in achieving this.
By making analyst knowledge less bespoke, it can be shared to the wider community in a common format. And, as a result, organizations can respond to incidents faster and reduce the impact on their resources and the networks they defend.
The white paper ‘The path to achieving actionable CTI’ gives a deeper insight into the different stages of the protocol discussed in this post.