By Teresa Walsh

Compared with other forms of threat intelligence like human or signals intelligence that have been used by nation-states as part of national security and defence for many decades, cyber intelligence is still a relatively new concept.

Cyber intelligence, particularly in the private sector, tends to focus on technical data such as threat actors’ technical capabilities and objectives to combat cyber threats at the tactical level. However, businesses, especially those in high-risk sectors such as financial services, can and should apply learnings from the public sector to utilise threat intelligence at higher levels to better manage cyber risks and fortify business resilience.

Expanding beyond the tactical

Cyber threat intelligence possesses vast utility, yet many organisations today are not harnessing threat intelligence to its fullest potential, instead focusing only on low-level, tactical use cases. Ideally, however, organisations can and should use threat intelligence analysis to detect both immediate and long-term threats, prioritise mitigation strategies, refine and sharpen long-term security postures, and focus on activities that further cyber resilience – all of which can greatly support a company’s success.

This reimagining and reorientation of how organisations make use of threat intelligence is necessary because threat intelligence holds immense value at multiple levels – tactical, operational, and strategic.

+ At the tactical (and lowest) level, threat intelligence detects and provides information on imminent cyber threats, enabling security teams to make better tactical decisions to secure an organisation’s defences.

Intelligence used at the tactical level focuses on the ‘what’ — what information an organisation needs to know while responding to security incidents, often involving the techniques, tactics, and procedures used by threat actors.

This intelligence is typically technical in nature and obtained directly from threats detected inside an organisation’s systems or from external sources that can impact tactical decisions, such as intelligence shared by another organisation about a threat that they have recently encountered.

+ At the operational level, threat intelligence empowers cybersecurity stakeholders by shedding light on cyber threat actors’ motives as well as tactics, techniques, and procedures and helps cybersecurity professionals better understand the threat actor’s decision-making process.

At the operational level, tactical intelligence can be used as building blocks to help expand the threat picture to the malicious actor behind the attacks and the arsenal of tools leveraged against victims. Operational intelligence analysis looks at the campaign level, examining priority threats and ongoing challenges in real time.

+ At the strategic level, threat intelligence informs top-level stakeholders in the business, such as board members and C-level executives guiding decision-making on investment, risk mitigation, and other high-level decisions.

The use of strategic intelligence focuses on uncovering the ‘how’ — how an organisation defends itself and its overall cybersecurity posture. Unlike tactical intelligence, strategic intelligence provides a high-level view of the threats faced by an organisation and is human analysed and human readable.

Just as national intelligence estimates are created to influence some of the highest levels of government, so too can threat intelligence be used at the strategic decision-making levels of private firms to arm stakeholders such as IT, risk, and business continuity managers with actionable information on not only what could cause operational disruption but the probability of the specific firm being impacted, and even the cost of certain types of attacks. This in turn helps these stakeholders gauge their risk appetite more accurately and prioritise investments.

In order to ensure the application of threat intelligence meets strategic ends, a company must integrate the planning and direction stages of its intelligence cycle, keeping in mind its risk management needs and strategy when collecting and analysing data or information. The intelligence cycle is a step-by-step process that informs the development and execution of effective threat intelligence collection, analysis and dissemination, and is critical to generating insightful and actionable intelligence for stakeholders.

The next step is to establish priority intelligence requirements. For the cybersecurity team, these can often be technical or generic, such as ‘malware’ or ‘DDoS (distributed denial of service) attacks’. These on their own may not be very meaningful to risk managers who care about how this could lead to the failure of IT networks and subsequent availability to customers, as well as subsequent compliance risks. However, when these are mapped onto the firm’s risk frameworks, they can provide an answer to the question of “so what?”.  In turn, this allows risk managers to truly understand how vulnerable they are to specific threats and allocate resources accordingly.

Towards intelligence-supported business resilience

With the rise of third-party risk, organisations are more prone to cyberattacks due to external failures or deficiencies. This is compounded by concentration risk, as many firms around the world rely on the same small pool of third-party vendors for essential services. On top of this, the proliferation and evolving nature of cyber threats mean that a successful attack or breach is now nearly inevitable — and organisations must ensure they are equipped to continue operations even when under attack. In other words, organisations must become operationally resilient. Threat intelligence, and its effective use, is crucial to this process.

To combat these attacks against commonly used third parties, an organisation’s cyber threat intelligence team must know who its critical suppliers and partners are and how they interact with the business. The intelligence team must also interact and collaborate across departments so that intelligence can be integrated into data collection requirements, threat monitoring, and analytical products.

For example, resilience and exercise managers can engage in a tabletop exercise to simulate a third-party supplier cyberattack; or chief information security officers can collaborate with peers on addressing concentration points of common suppliers at a sector-level effort to ensure their security levels are adequate.

As third-party risk increasingly impacts both compliance and reputation, an efficient and effective risk management strategy is critical. Using strategic threat intelligence analysis to detect threats, prioritise mitigation strategies, and target resilience activities can help companies leverage existing threat intelligence resources to a much greater value in protecting the company and assuring the operational resilience that customers, shareholders, and regulators increasingly demand.

Teresa Walsh is the Global Head of Intelligence, Financial Services Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is the member-driven, not-for-profit organisation that advances cybersecurity and resilience in the global financial system, protecting financial institutions and the people they serve. Founded in 1999, the organisation’s real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defence. Member financial firms represent USD100 trillion in assets in more than 75 countries.