Creating Your Team of Security Intelligence Champions

Office floor with people working on computers.

Editor’s Note: This guest blog is written from Recorded Future’s perspective and shares key excerpts from the second edition of their popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.”

Your Threat Intelligence Journey

Throughout Recorded Future’s blog series on “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program,” we’ve explored how security intelligence empowers every team across a security organization to make better, faster decisions and amplify their impact. There’s one final, yet critical, topic to examine: How to organize your core security intelligence team itself.

Let’s take a deep dive as we look at the final chapter 13, “Your Threat Intelligence Journey.”

Michael Jordan once said, “Talent wins games, but teamwork and intelligence win championships” — and he’s absolutely right.

There’s no debate that machines process and categorize raw data exponentially faster than humans. On the flip side, humans are uniquely able to perform intuitive, big picture analysis that machines will never be able to achieve. That’s why the most effective security intelligence programs combine the best of both worlds: a team of talented individuals with extensive experience and technical knowledge, bolstered by automated processes that eliminate manual, time-consuming tasks and empower people to focus on rewarding, high-impact work. When people and machines are paired, each works smarter — saving time and money, reducing human burnout, and improving security overall.

So, how do you go about drafting your dream team of human security intelligence champions? Consider the Olympic Games as a model. Every country sends an elite team of athletes to compete in events. These teams of Olympians comprise a broader unit that represents their people and their country as one. This is the same way you should view your ultimate security intelligence program. It’s not enough to just pick individuals for your all-star lineup. You have to consider how each individual will work together, play on each other’s strengths, and contribute to the collective outcome.

As more and more organizations embrace intelligence as a critical security function, many are choosing to place a dedicated security intelligence team within the larger organizational structure of their security team. However, these specialized groups remain part of a larger coalition focused on a common goal: reducing risk and protecting the organization from emerging attacks.

In this final chapter, which has been edited and condensed for clarity, we outline the processes, people, and technology that make up a dedicated security intelligence capability. We also explore how these teams use intelligence not just to judge risk, but also to drive business decisions. Finally, we review ways to engage with intelligence communities for maximum impact.

In previous chapters of “The Threat Intelligence Handbook,” we’ve looked at how to integrate threat intelligence capabilities within your already existing security processes. Having reached the final chapter, we now make a few suggestions about how to organize your core threat intelligence team itself.

Now that we’re exploring how to create a team specifically committed to threat intelligence, it’s helpful to outline their differentiated responsibilities. Threat intelligence analysts will generally take on the following tasks:

  • Identify current and future information security threats to the business’s strategic assets
  • Answer the “who, how, and why” for any given attack
  • Dissect attack tactics, techniques, and procedures (TTPs)
  • Evaluate attacker TTP relevance and impact in the business context
  • Identify opportunities to make high-level security architecture changes that will hinder an adversary’s specific TTPs

The best threat intelligence programs involve strategic analysis centered around talented human resources who are supported by automated processes that take care of tedious tasks like processing data. This human-machine pairing is called the centaur model, which was originally theorized by chess legend Garry Kasparov. He made this argument a few years ago: “Weak human plus machine plus better process was superior to a strong computer alone and, more remarkable, superior to a strong human plus machine plus inferior process.”

One thing the centaur model highlights is how different groups working together and playing to their strengths will often succeed over individual groups that may be stronger pound for pound but can’t make a unified effort. This same lesson also extends to the question of where to place a threat intelligence team within the larger organizational structure of a security team — the right answer is often to be a specialized group, but one that remains part of a larger coalition.

In this chapter from our new book, “The Threat Intelligence Handbook,” which has been edited and condensed for clarity, we’ll explore in greater depth what that group should look like.

Dedicated, but Not Necessarily Separate

You can start your threat intelligence journey with people who continue to play other roles on different teams in the organization. At this point, two questions will arise:

  1. Should there be a dedicated threat intelligence team?
  2. Should it be independent, or can it live inside another cybersecurity group?

The answers are: yes, and it depends.

A Dedicated Team Is Best

As you develop a comprehensive threat intelligence program, you should build a team dedicated to collecting and analyzing threat data and turning it into intelligence. The sole focus of this team should be to provide relevant and actionable intelligence to key stakeholders, including senior executives and members of the board.

Dedication and a broad perspective are needed to ensure team members dedicate enough time to collecting, processing, analyzing, and disseminating intelligence that provides the greatest value to the enterprise as a whole, rather than yielding to the temptation to focus on the intelligence needs of one group or another.

Its Location Depends on Your Organization

Organizational independence, as shown in the image below, has its advantages, such as greater autonomy and prestige.

 

Figure 1: Threat intelligence as an independent group in the cybersecurity organizational structure. (Source: Recorded Future)

However, these advantages can be completely offset by the jealousies and political issues caused by creating a team with a new high-level manager and its own budget that pulls budding threat intelligence analysts out of their existing groups.

A dedicated threat intelligence team does not necessarily need to be a separate function reporting directly to a VP or the CISO. It can belong to a group that already works with threat intelligence. In many cases, this will be the incident response group. This savvy approach can avoid conflict with entrenched security teams.

Picking the People

If you take a gradual approach to building your core threat intelligence team, start with individuals who are already in the cybersecurity organization and are applying threat intelligence to their particular areas of security. They may not have the title “threat intelligence analyst” or see themselves that way at first, but they can form the backbone of your emerging threat intelligence capability.

Core Competencies

We have emphasized that the threat intelligence function exists to strengthen other teams in the cybersecurity organization so they can better protect a specific enterprise. It is therefore critical that the threat intelligence team include people who understand the core business, operational workflows, network infrastructure, risk profiles, and supply chain, as well as the technical infrastructure and software applications of the entire enterprise.

As the threat intelligence team matures, you’ll want to add members with the following skills:

  • Correlating external data with internal telemetry
  • Providing threat situational awareness and recommendations for security controls
  • Proactively hunting internal threats, including insider threats
  • Educating employees and customers on cyberthreats
  • Engaging with the wider threat intelligence community
  • Identifying and managing information sources

Collecting and Enriching Threat Data

We talked a little about sources of threat data in Chapter 1. Here, we explore how a threat intelligence team can work with a range of sources to ensure accuracy and relevance.

The Human Edge

Threat intelligence vendors can provide some types of strategic intelligence, but you can also develop in-house capabilities to gather information about the topics and events most relevant to your enterprise.

For example, you could develop an internal web crawler that analyzes the web page code of the top 5,000 web destinations visited by your employees. This analysis might provide insights into the potential for drive-by download attacks. You could share the insights with the security architecture team to help them propose controls that defend against those attacks. This kind of threat intelligence generates concrete data, which is much more useful than anecdotes, conjecture, and generic statistics about attacks.

Additional Sources

Proprietary sources that can strengthen your threat intelligence resources include:

Combining Sources

An automated threat intelligence solution enables the threat intelligence team to centralize, combine, and enrich data from multiple sources before the data is ingested by other security systems or viewed by human analysts on security operations teams.

The image below shows the elements of an automated threat solution. In this process, information from a threat intelligence vendor is filtered to find data that is important to the enterprise and specific cybersecurity teams. Then, it is enriched by data from internal threat intelligence sources and output in formats appropriate for targets such as a security information and event management (SIEM) and incident response system. This automated translation of data into relevant insights is the very essence of threat intelligence.

Figure 2: A threat intelligence platform can centralize, combine, and enrich data, then format it for multiple target systems. (Source: Recorded Future)

The Role of Intelligent Machines

Advances in machine learning and natural language processing (NLP) can bring additional advantages to the threat intelligence team. With the right technology, references to threats from all sources can be rendered language-neutral, so it can be analyzed by humans and machines regardless of the original language used. We’ve reached the point where artificial intelligence (AI) components have successfully learned the language of threats and can accurately identify “malicious” terms.

The combination of machine learning, NLP, and AI offers huge opportunities for organizations to leverage threat intelligence. Not only can these technologies remove language barriers, but they also can reduce analyst workloads by taking on many tasks related to data collection and correlation. When combined with the power to consider multiple data and information sources concurrently to produce genuine threat intelligence, these capabilities make it far easier to build a comprehensible map of the threat landscape.

Engaging With Threat Intelligence Communities

Threat intelligence cannot flourish in a vacuum. External relationships are the lifeblood of successful threat intelligence teams. No matter how advanced your team might be, no single group can be as smart individually as the threat intelligence world as a whole.

Many threat intelligence communities allow individual enterprises to share relevant and timely attack data so they can protect themselves before they are victimized. Engaging with trusted communities such as ISACs is crucial for decreasing risk, not just for your individual enterprises, but also for the entire industry and the cybersecurity world at large. Participation requires time and resources — for example, to communicate with peers via email and to attend security conferences — but relationship building must be a priority in order for threat intelligence to be successful.

Get “The Threat Intelligence Handbook”

The full chapter of the book also details the four different types of threat intelligence — strategictacticaloperational, and technical — and provides scenarios for how you would use them. In addition, the rest of the book includes chapters on the many different use cases for threat intelligence, including incident response, vulnerability management, digital fraud protection, and more.

It’s an essential guide to all things threat intelligence, so download your free copy of “The Threat Intelligence Handbook” today.