Threats from nation states, hacktivists, and cybercriminal actors are becoming more and more accountable for recognised cybersecurity attacks. Couple this with the many new public policies aimed at mitigating the negative effects of data breaches, cyber espionage and intellectual property theft, and it’s clear the ecosystem of cyber threat intelligence sharing is changing.
With the increase of varied threat origins and this changing ecosystem, more intelligence teams are becoming established with the aim to fortify networks and reduce the liabilities and risks associated with data breaches. Yet with this increase, the need for trained threat analysts is also growing, with there currently being very few who can represent their findings in a manner that is helpful and actionable for decision-makers. To correct this, is it vital for organisations to train cyber threat analysts using a technique that builds on the use on a threat intelligence platform (TIP) as a key tool in conveying the tradecraft of cybersecurity threat intelligence.
Paving the way to an improved ecosystem
Through the development of this ecosystem, the global standards body, the Organisation for the Advancement of Structured Information Systems (OASIS) has sponsored further development of a standardised language, syntax and logic for a set of protocols for threat intelligence sharing. These are:
- Structured Threat Information Expression (STIX)
- Trusted Automated Exchange for Indicator Information (TAXII)
Training built through a threat intelligence platform
There are multiple functions of a threat intelligence platform (TIP), including:
- The aggregation of threat intelligence “feeds” from various open and propriety sources while serving as a platform for enriching IOCs with supplemental data and information
- Aiding the threat analyst in understanding the Tactics, Techniques and Procedures (TTPs) of the threat actors, as conveyed through the interpretation of enriched IOCs
- Being able to distinguish between human readable threat intelligence (HRTI) and machine readable threat intelligence (MRTI)
By using a technique that builds on the use of a TIP as a key tool in conveying the tradecraft of threat intelligence in training, cyber threat analysts will be empowered. Alongside this, by providing analysts with a robust TIP that is designed to give them a high level of configurability, they will be exposed to the internal logic of the system, allowing them to carefully design the threat detection, response, and prevention parameters. In turn, this helps reduce false positives and increases the value of the data collected for the use of defensive or remedial action.
Applied, hands-on lab work is critical to learning objectives and arming students and the workforce with practical knowledge to build upon. As part of this, it is important that the training analyst is given theoretical frameworks – such as Kill Chain and the Diamond model – that will guide hypothesis formation and testing as well as knowledge of the craft for effective integration into ongoing threat intelligence teams.
When looking to effectively apply a TIP-based learning system for students, lessons should be drawn directly from the workflows of operational units such as red teams, Incident Response teams and SOC teams. The use of specific case studies can also give students a sense of how TIPs function within an organisation which has different teams collaborating on threat intelligence sharing. Having a robust and highly configurable TIP ensures that the analyst understands these basic workflows, use cases and the various features needed for ingesting feeds, performing analysis and presenting actionable findings and intelligence.
The threat analyst skills gap
While more intelligence teams are becoming established, and the skills gap for talented threat analysts continues to grow, there is an increased realisation of the benefits of threat intelligence sharing for fortifying networks, and reducing liabilities and risks associated with data breaches. Due to this, there is more of a need than ever before for individuals who can understand exactly how to interpret the IOCs, enrich the data and characterise the activity of threat actors that may be engaging in attacks on member networks.
There are currently very few threat analysts that understand how to use TIPs and STIX-formatted data, how to refine IOCs and how to analyse the patterns in order to test hypotheses on threat actor intent and motivations. Having employees who are fluent in the language of STIX will become invaluable for businesses as their threat analysts will be able to present their findings in a manner that is helpful for key decision makers.
The poaching of cybersecurity talent is also becoming a growing concern for organisations, as highlighted by the lawsuit brought against Nike by Mastercard in 2015. Not only are skilled workers being poached, but they are also being recruited from other roles such as network engineers, database managers, ethical hackers as well as other disciplines that have a bearing on the information and cybersecurity fields. Even for these specialised workers however, it’s a steep learning curve when trying to understand the tools and techniques used to analyse attacks and develop application interfaces (APIs) between TIPs and existing in-house tools for monitoring networks and generating metrics.
As workforce development continues to be a concern for companies and public-sector organisations, employers need to support and nurture all employees that seek development in the ecosystem of threat intelligence.
Joep Gommers, Founder and CEO at EclecticIQ
Image Credit: BeeBright / Shutterstock