This can be one of those polarizing subjects (at least for security people) – cyber threat intelligence. Security people tend to either love the idea of collecting threat intelligence or they don’t see any value in spending time and money on it.
But let’s start by defining it.
Most times, cyber threat intelligence is packaged and sold by vendors. But that’s not what I’m talking about here. I’d rather talk about innovative and cheap ways (at least in terms of budget dollars) of collecting highly valuable threat intelligence.
Ultimately, the only value of I see intelligence brings is when it helps your team be better prepared to prevent or detect attacks. Anything less is likely wasted effort.
But if you follow the marketing hype by security vendors, you know about all kinds of threat intelligence products, services and feeds. But I think there’s a better way to get valuable intelligence.
You can do it the grass roots way. Go undercover in your own business environment and you’ll learn things you wouldn’t find out any other way. Just like the CEO’s do on Undercover Boss.
Let me give you an example to demonstrate the usefulness. I was working with a very large transportation and manufacturing company a while back. I asked them a simple question. Did they have any PCI data (i.e. credit card transactions) in their environment.
I thought I knew the answer to the question before I asked it. I really couldn’t imagine they took credit card transactions since their products (at least the ones I knew about) cost 6 figures at least. Not exactly something you put on your American Express card.
But I was wrong. And so were the 3 security managers present in the room that day. Turned out that one of the security analysts was aware of their small but growing PCI environment from projects and work she did with the group responsible for the PCI environment.
But no one else in the room knew anything about it. They were all as surprised as I was to learn about it. That is until she enlightened us and told us about all about what she learned when she worked with that group on one of their projects.
Point is, you can do the same and use that knowledge to make sure you’re aware of your company’s “attack surface”, meaning all of the different areas of the business that might be a target for exploitation.
Once armed with that kind of information, your team is in a better position to intelligently defend your company against any related threats.
Here are a couple of ideas that won’t require you to get a dress up artist:
1. Your security people are likely already having conversations and are actively participating in project meetings. Make sure everything they learn in those meetings is documented on your team’s wiki, or OneNote or group bulletin board. Take the time to debrief your people.
They may not even realize the information they store in their heads. Tribal knowledge, they call it. Make it less tribal and more universally known.
2. Go on “fact finding missions” when new projects arise and your team isn’t participating in them. No need to be abrasive or invite yourself to someone else’s party.
But you or someone on your team should approach those groups and let them know you’re looking for information that will help you better defend the organization. Everyone wants to be helpful. Appeal to their psychology.
To wrap up:
Once you start collecting intelligence about your internal environment, you may find yourself wanting to consume more types of intelligence. Just remember to take baby steps and let the information lead you where it will.