Historically, the public sector has focused on a narrow set of cyber threats. Espionage and insider threat were among the primary focus areas given limited public-facing services and air-gapped infrastructure. However, as recent high-profile breaches have illustrated, the infrastructure at federal agencies today is far more integrated than ever before, and transparency initiatives have increased the amount of public-facing data and services. As such, agencies today are facing a wide range of cyber threats perpetrated by increasingly sophisticated adversaries requiring broader, more relevant threat coverage to keep up.
Keeping pace with the cyber threat today requires that agencies take a more active role in the defense of their infrastructure. Today, security is about more than just defending the perimeter, and it is no longer possible for agencies to prevent every potential cyber attack. The evolving regulatory landscape, massive scale, and increasing complexity of federal IT environments have surpassed the ability of internal security teams to keep pace. As such, agencies must seek to invest in and develop sophisticated threat intelligence capabilities to collect, analyze and disseminate information about the specific, and often unique, threats facing them.
Investment is CriticalThe creation of a sophisticated threat intelligence capability requires significant personnel and monetary investment. Agencies must compete with the commercial market to recruit and retain high-quality cyber security talent spanning a wide range of expertise to provide ample threat coverage. Moreover, agencies must identify, acquire, and analyze vast amounts of threat data from multiple sources to disseminate context-aware, actionable intelligence. At a minimum, an agency’s threat intelligence capability should invest in extensive human intelligence (HUMINT) and signals intelligence (SIGINT) capabilities, whether internally or by way of a third party.
Expert Human IntelligenceThe best threat intelligence capabilities today incorporate extensive human-derived intelligence and expert-driven analysis spanning multiple languages and cultures. These expert staffers must include subject-matter experts in malicious code, vulnerabilities, threat actor reconnaissance, and geopolitical threats, among other skills. For example, Verisign iDefense Security Intelligence Services , which has provided actionable intelligence to the public sector since its inception nearly 20 years ago, has organized its intelligence teams to address the core types of threat (namely cyber espionage, vulnerability intelligence, cyber crime and hacktivism) for most federal agencies. This intense focus on human intelligence is necessary to provide agencies with detailed analysis of current and emerging regional threats, zero-day vulnerabilities, and cyber espionage groups and campaigns to identify threat actors and key targets of opportunity so as to better direct and inform strategic defensive decisions and actions.
The Importance of IntegrationThe integration of targeted intelligence data into an organization’s existing technology stack is a critical aspect of an efficient threat intelligence workflow. To realize the efficiency gains of context-focused threat intelligence, organizations must be able to rapidly integrate this data within existing collection management, threat mitigation, and vulnerability management systems to help security teams prioritize patch deployments, remediation actions, and incident response efforts. The automated prioritization of threats based on severity, business criticality and relevance to the organization is key, and API access to disseminated threat intelligence data enables the rapid and direct integration of advanced sensing, indicator, and warning capabilities to help organizations “know what they know” and narrow down the “unknown unknowns.”
ConclusionTo truly stay ahead of the increasingly sophisticated, stealthy and dangerous threats facing them, federal agencies need an active defense strategy that enables them to anticipate the moves of their adversaries, detect attacks early on, and rapidly neutralize threats that surface. The integration of threat intelligence capabilities into an organization’s cyber defense strategy can offer tremendous improvements in the efficiency and effectiveness of internal security teams. While open threat intelligence data offers some value, general-purpose nature of these feeds lacks mission-specific context and relevance, leading to false positives and misaligned resources. The real value in threat intelligence data comes from the ability to hone in on the specific TTPs targeted at the organization. Getting to this level of detail requires a level of mission-focused context that must be achieved through the aggregation of both open and commercial threat intelligence sources and the incorporation of highly skilled, mission-aware, cyber security analysts who can derive this actionable, organization-specific threat intelligence.