Cyberthreat Intelligence: Informing Better Decisions on the Cyber Battlefield

Corporate cyberattacks were up 50 per cent worldwide in 2021^[1] and cyber incidents emerged as the biggest concern for companies globally in 2022, outranking covid-19 and broken supply chains.^[2] In an interview with The Wall Street Journal, Christopher Wray, director of the United States Federal Bureau of Investigation (FBI), compared the US government’s fight against ransomware to the situation the country faced after 9/11. He added that the FBI has identified nearly 100 different types of ransomware, each of which has already been implicated in cyberattacks.^[3] Today’s cyberattack landscape is extensive, and the risk to an organisation’s people, customers, partners and balance sheet is great.

The stakes for organisations hit by a cyberattack are high, as the record of regulatory action under data protection rules such as the EU’s General Data Protection Regulation (GDPR) makes clear. Regulatory action is providing guidance on what organisations should do to prevent or mitigate the risk of cyberattacks. Take the case of British Airways, fined £20 million by the UK Information Commissioner’s Office (ICO) for a data breach that affected more than 400,000 customers. The breach impacted both personal and credit card data, and a subsequent investigation concluded that sufficient security measures, such as multifactor authentication, were not in place at the time.^[4] Organisations hit with ransomware attacks by malicious actors are vulnerable as well. A UK law firm was issued a Penalty Notice in 2022 that imposed an administrative fine on the firm in the amount of £98,000. The ICO found that, from 25 May 2018 to 25 August 2020, the firm failed to process personal data in a manner that ensured appropriate security of the data.^[5]

New cybersecurity threats emerge daily, from sophisticated ransomware schemes to phishing and crypto mining. Despite a rising level of cyber governance, hygiene and education, human error and system failure are still key risk factors.^[6] Only two in five organisations say they are ready to navigate new exposures arising from rapid digital evolution, and, more worryingly, a mere 17 per cent have adequate application security measures in place.^[7] The Russia–Ukraine war is influencing businesses outside of Ukraine, as nation state-sponsored cyberattackers become more active. Entities around the globe that do business in or with parties in Ukraine are under heightened risk, as are organisations within highly targeted sectors, such as education and research, national infrastructure, transportation and logistics. Business interruption is one cyberattack away.

Even though organisations are aware of the ever-increasing cyberthreat, and knowledgeable regarding potential regulatory fines or legal liability, many still mismanage or fail to deploy a standard military tactic: threat intelligence. While an organisation might receive an abundance of threat intelligence, perhaps a stream of emails entering an inbox, it is often unable to effectively consume or act on the threat intelligence. This is particularly true for small to mid-sized businesses that do not have threat intelligence capabilities in-house.

The growing importance of threat intelligence

Threat is defined as the ‘potential cause of an unwanted incident, which can result in harm to a system or organisation’.^[8] Threat intelligence at its most base level is data that informs enterprises about existing and potential cyberthreats to the organisation. This raw data comes from multiple sources, or feeds – for example, from commercial vendors that conduct scrubs of the deep and dark web; from newsfeeds from regulators; from government agency publications; and from data streams from an organisation’s own security operations, risk management, or enterprise-level team. However, useful threat intelligence requires more than simply collecting data. A strategic and useful threat intelligence programme enables an organisation to better understand the threat landscape from a strategic, operational and tactical position so that it can make better decisions about where to apply limited resources across people, budget and technology.

Cyberthreat intelligence is crucial to the life of the organisations, yet the process of collecting information and turning that information into useful intelligence is fraught with challenge. Its value can be difficult to translate to the senior chiefs (or ‘the C-suite’) and thus budget might not be allocated; or, when a threat intelligence programme is undertaken, the sheer volume of information feeds and vendors offering services can be overwhelming. This explains why, even with all the available intelligence, organisations still find themselves ill-prepared to manage cyber risk.

The importance of threat intelligence is growing, as is recognition of its value in mitigating the risk of a future attack or responding to, and recovering from, an ongoing attack. Some industries that are overwhelmingly targeted by cybercriminals, or highly regulated, have responded with the formation of global intelligence exchanges or communities to enable members to connect and share cyber intelligence. The Financial Services Information Sharing and Analysis Center, for example, serves financial institutions and their customers to anticipate, mitigate and respond to cyberthreats via intelligence and has member institutions across 70 countries.^[9]

Threat intelligence’s worth is further highlighted by the 2022 update to the International Standards Organization (ISO) ISO27000 framework that added threat intelligence as a best-practice control defined in ISO27002. The new standard provides that ‘information relating to information security threats should be collected and analyzed to produce threat intelligence.’^[10] It is anticipated that this criterion will set an important precedent, leading to industry regulations mandating threat intelligence programmes, as well as adding a new compliance layer across sectors. Moreover, the inclusion of the ISO framework’s standard puts both market and legal pressures on organisations to maintain an active and strategic threat intelligence programme to demonstrate a sound cybersecurity posture.

This chapter examines globally accepted threat intelligence models and presents best practices in cyberthreat intelligence through example scenarios. The goal is to help organisations and their legal counsel understand how to source and consume threat intelligence. In line with military guidelines and ISO 27002, a threat intelligence programme is required to provide support to strategic, operational and tactical-level leaders. Additionally, it is to be conducted when an attack is underway (reactive), as well as during ‘peacetime’ (proactive) by helping an organisation to prepare for and prevent coming attacks. Organisations and legal counsel should not underestimate the return on security investment of an active and iterative threat intelligence programme, or the balance sheet protection a threat intelligence programme can provide should the company suffer business interruption or come under regulatory or legal scrutiny in the wake of a cyberattack.

Establishing a threat intelligence programme

The Intelligence Cycle

Source: US Naval War College (2022). ‘Intelligence Studies: The Intelligence Cycle.’ Retrieved from https://usnwc.libguides.com/c.php?g=494120&p=3381427

To support the pursuit of strategic, operational and tactical intelligence, virtually every intelligence professional uses some version of the Intelligence Cycle. The Intelligence Cycle is a tool used to help collect unrefined data and process it into useful intelligence for key decision makers. It is a continuous process consisting of five phases, and even though the phases are conducted sequentially each may occur simultaneously. 

Stage one: planning and direction

At stage one, intelligence requirements are determined based on established priorities and the direction of the organisation’s leadership. Good requirements are always time-phased, ask one question and are tied to a decision the organisation must make. At this stage, security gaps are revealed, and the organisation comes to understand itself and its environment. This includes identification and valuation of critical assets to determine what attackers will most likely target, as well as a look at systems and operations to identify vulnerabilities. Scenario modelling is undertaken, and potential impacts of asset loss or service interruption are assessed. The organisation must be able to trust its internal threat intelligence function or external partner with confidential information, including a deep understanding of the business, key assets and critical risks. This step should involve the full security team encompassing risk, IT and forensics across all relevant countries.

Questions answered at stage one include:

• What needs protecting and why?
• Which assets are the priorities?
• What threat actors and groups normally target the organisation’s sector? Geography?
• What avenues of entry are available to the threat actor?
• What types of intelligence are required?
• Who will be receiving the intelligence and how?

Stage two: collection

Collection is the process of gathering information from all available sources such as sector news feeds, social media, the deep and dark web, and other intelligence. (The sources used in collection are guided by the requirements established in Stage One.) It is recommended that a collection plan be developed to coordinate efforts of the intelligence team. Processes can be developed to enable prioritisation of intelligence, for example, if information points towards an imminent breach or if the capabilities of a specific threat actor align to an identified vulnerability. Collection fills in any gaps that were determined at stage one to provide a more detailed view of the threat landscape (or cyber battlefield).

Stage three: processing

During processing, information becomes intelligence. The distinction between intelligence and information is that intelligence is information that has been evaluated, analysed and often correlated.^[11] It is a process and a product. Intelligence is also formatted to be understood, or consumed by its audience, which might even be the C-suite. During processing, the team aggregates the information collected to extract what is relevant, or the needles from the haystack. The needs of the audience should determine how it is presented. For example, it may need to inform a graph designed to quickly solidify a point or it may be technical data to be ingested by a cyber incident response (IR) team.

Stage four: analysis and production

With usable intelligence (the product), the organisation can reconsider its goals and priorities to add context. Information from multiple sources is analysed holistically and various techniques are used to determine what is relevant. At the end of this stage, the organisation has a finished intelligence product, perhaps in the form of a report or presentation, that is concise, contextual and actionable.

Stage five: dissemination

Dissemination is the timely distribution of accurate and relevant intelligence to the appropriate decision makers. The security team will use the threat intelligence to build and act on priority plans for mitigation and proactive protection, focusing on alerts of the highest importance or impact to the organisation. Take, for example, an organisation beset by a cyberattack. In this situation, certain intelligence becomes more critical. This is also the stage where remediation actions may occur, such as takedown requests, publishing of attack indicators or defence hardening.^[12]

Closing the loop: feedback

While not a specific stage, feedback is an essential component of any iterative – or loop – programme. After any change to the business or a threat event, it is important to re-analyse the security goals of the organisation.

• Is the mission, or direction, still the same?
• Is a different type of data needed?
• How is the organisation’s intelligence communicated?
• Are there too many or too few alerts?

Pausing to provide feedback can make threat mitigation faster and more accurate. Further, by redirecting assets or pivoting in a new direction, organisational efficiency is constantly refined.

Understanding strategic, operational and tactical intelligence

Military intelligence officers frequently hear the quote: ‘The commander must see the battlefield.’ ^[13] Within a private or public organisation, the threat intelligence team is charged with painting a picture of the cyberthreat landscape so that leaders can make better decisions and act efficiently and effectively. Threat intelligence is a vital part of any cybersecurity programme, and according to ISO 27002 should consist of three forms of intelligence: strategic, operational and tactical.

Strategic intelligence

At the strategic level, the intelligence team is concerned with the capabilities, vulnerabilities and probable courses of action of threat actors. It is an exchange of high-level information about the changing threat landscape and helps to determine where to deploy resources or allocate budget. Data sought at this level answers the question of what attacks are underway and by whom. For example, intelligence data might indicate a rise in ransomware activity with an industry-specific lens, or sector threat intelligence might reveal that a handful of known groups are targeting a particular industry. This data informs the organisation’s operational and tactical threat intelligence.

Case in point

In February 2022, researchers at Sansec, a Dutch security firm, discovered a major data breach of 500 eCommerce retailer sites running on Adobe’s Magento 1, a discontinued version of the platform. Further intelligence revealed that the threat actor group Magecart Group 12, known for skimming payment cards from e-commerce websites, was using an updated attack technique to gain remote administrative access to sites running this older version of the software.^[14] At the strategic level, retailers operating an active threat intelligence programme would have prepared a report in relation to this vulnerability and probable course of action, and the risk would likely have been significantly reduced or negated. Armed with this intelligence, impacted retailers could more quickly utilise operational intelligence (see below) to prevent an attack, or if an internal investigation determined that a breach was underway, a rapid tactical response could isolate the attack, remove or update the third-party library and prevent further payment card information leakage.

Operational intelligence

Operational intelligence is defined as the intelligence required for planning and conduct of campaigns within a theatre of war.^[15] It concentrates on collection, identification, location and analysis of strategic and operational centres within an organisation, such as information about technology, tools, people and processes. When conducted proactively, researching the technology used by the organisation exposes known vulnerabilities, and threat-modelling assessments can help the organisation efficiently deploy resources. For example, if certain technologies have known vulnerabilities, or there are current threat actors targeting certain technologies, a mitigation plan can be enacted. Operational intelligence essentially serves as a bridge between strategic and tactical. 

Case in point

In March 2022, the UK’s ICO handed down its first Monetary Penalty Notice for GDPR violations in respect of a ransomware attack, against a UK-based criminal defence law firm. The law firm suffered from an attack in August 2020, in which actors gained access to and encrypted over 900,000 digital files with a substantial number being related to court bundles. The dataset was exfiltrated by the attacker and published on the dark web, thereby releasing over 60 court bundles for historic and live cases. The law firm’s data protection policy required two-factor authentication where available (also known as ‘multi-factor authentication’ or ‘MFA’); however, it did not use MFA for remote access. The law firm’s own internal investigation found that the attackers may have used a known ‘critical’ vulnerability to access the network. This vulnerability had been reported from December 2019 and had been the subject of specific alerts and guidance by UK and US government starting from January 2020, which guidance noted that the vulnerability was being exploited by malicious cyber actors. A patch for this vulnerability was released in January 2020 but was not installed by the law firm until over four months later, in June 2020, and the law firm accepted that the threat actor could have exploited the vulnerability during the unpatched period. The ICO found that the law firm ‘should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk’, further explaining its reasoning:

The Commissioner has considered relevant industry standards of best practice, including the ISO27002 suggestion that organizations should define a timeline to react to notifications of potentially relevant technical vulnerabilities, and once a vulnerability has been identified, associated risks should be identified and actions taken, such as patching the system to remove the vulnerability.^[16]

This regulatory position demonstrates the need to identify potentially relevant threat intelligence (in this case, regarding vulnerabilities in systems used by the organisation), as it is in line with best practice, and the potential negative consequences of failing to do so.

Tactical intelligence

Tactical intelligence deals with the immediate situation, for example an imminent or ongoing attack. If an organisation has been breached, indicators of compromise can greatly aid the forensics investigation and shorten response time from months to days. When investigating a breach where a technology estate consists of several thousand machines, tactical intelligence surrounding the threat actor group and the technology in question can drastically shorten the time it takes to analyse the systems and determine the attack vector. To deploy threat intelligence at the tactical level, the team must identify the key needs, provide direction for data collection and collect against these needs, process the incoming information into intelligence that will answer questions, and disseminate this intelligence so that it may be acted on.^[17] 

Case in point

In the case of the widely-reported Accellion application breach, in which a file transfer platform used by many organisations was found to have a vulnerability that compromised data that had been transferred using the platform, the incident was publicly reported to have affected two major global law firms.^[18] Thereafter, organisations that were clients of those law firms – and that had programmes to deploy tactical threat intelligence – would likely have monitored the threat actor’s website for the exfiltrated data being made public, so they could download and analyse it to establish if it included their data.

Threat intelligence in reactive versus proactive scenarios

Reactive: an attack is underway

Data stored on an organisation’s network is encrypted and inaccessible due to a ransomware attack. In this reactive scenario, protocol calls for mobilisation of an IR team comprised of forensics experts who investigate the attack from the inside out – which means that the investigators will have access to the affected systems and view the relevant data sources and forensic artefacts from ‘inside’ the organisation. This is standard and in line with the practice of most organisations. What is not standard, yet equally critical, is activation of a threat intelligence team. Threat intelligence experts complement forensics in that they investigate from the outside in – meaning that the investigators will be examining data sources and information from outside the affected organisation in an attempt to identify any relevant evidence of the threat actor’s actions. If there are initial indicators of a cyberattack, threat intelligence can also help determine what threat actor, or group, was most likely responsible. This can drastically improve the efficiency and timeliness of the IR team’s response. If there is a strong indication that the attack was led by ‘Actor X’, then the IR team may be able to more quickly identify the root cause as well as the persistence mechanisms – the techniques that attackers use to keep access to systems – and as a result lessen the resulting damage. The length of time the business is offline is likely shortened, and the impact on partners and customers is reduced.

In the case of ransomware specifically, threat intelligence is becoming ever more essential. The United States Treasury Department recently warned that it could punish anyone who pays ransom to individuals or organisations that are on its sanctions list.^[19] Worldwide, the Gartner research group predicted that the percentage of nation states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30 per cent by the end of 2025, compared to less than 1 per cent in 2021.

Lloyds Market Association (LMA) also provides specific guidance regarding the types of due diligence that insureds should undertake in the case of a ransomware attack, including whether to make a ransomware payment. The questions that must be answered cover questions that can best be answered only by interrogating and considering threat intelligence – including ‘any results are returned that establish an actual or suspected link with a sanctioned party, or that give rise to AML [anti-money laundering] or counter-terrorism concerns’:^[20]

• Have other avenues been exhausted?
• Is payment lawful?
• Is there any other compelling reason not to pay?
• Does the payment require consent of the insurer, vendor, an executive of the insured, or any other party?

Moreover, the LMA guidance explicitly defines threat intelligence-based steps that the insured must carry out before conducting any payment to a ransomware actor, which include:

• block chain analysis, including searches on relevant cryptocurrency wallet IDs and addresses, and exchanges;
• threat intelligence, including searches related to tactics, techniques and procedures (TTPs), unique threat actor identifiers, ransomware variant names and malware campaigns; and
• verification that the cybercriminal is real and credible, based on analysis that should include historical data or other warning signs.

Intelligence is clearly integral to a ransomware response in those cases where the organisation wants to seek coverage and reimbursement under a cyber insurance policy.

Another reactive scenario is one in which the forensics team locates an indicator of compromise for which it wants further intelligence gathering, for example, the discovery of a suspicious IP address, username or file cache, or maybe content from a phishing campaign that granted network access. A threat intelligence team should understand the holistic environment and provide insight into the attack details to aid the response.

Proactive: understand the organisation and the enemy

Proactive threat intelligence seeks what is unknown. In the initial stage of the threat intelligence cycle, goals are established and critical assets identified. Organisations that run a proactive threat intelligence programme conduct ongoing investigation into potential entry points, or vulnerabilities, across people, process and technology. This goes beyond automated scans conducted by threat hunting technologies and adds an important dimension: the expertise of human threat-hunters and analysts. With this intelligence, businesses can make better decisions about where to apply resources to address the most imminent threats. No organisation can take every security measure against every potential threat, thus proactive threat intelligence identifies worst case scenarios and strategically plans to manage and mitigate the risk of attack.

Criminal actors might be in an organisation weeks, months or even years prior to being detected. To give an example, Citrix initially disclosed in March 2019 that malicious hackers were inside its networks for five months, taking personal and financial data on company employees, contractors, interns, job candidates and their dependents. Shortly after, a cybersecurity company presented intelligence that Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data.^[21] This example highlights the benefit of running a cyclical and proactive threat intelligence programme, which is, moreover, in line with the recent ISO framework amendments in which ISO 27002 defines guidance for a strategic, operational, and tactical cyberthreat intelligence programme.

In cybersecurity, many cyber risks and cyberthreats have a human element – for instance, a threat actor may seek to exploit a human’s capacity to trust or make an error, in order to introduce a vulnerability into an organisation. The human element can be a critical factor in insider threats, in which persons entrusted with access to an organisation’s systems and data pose potential risks to cybersecurity. It is of the utmost importance that proactive threat intelligence programmes consider addressing this human element of cybersecurity. The ICO fined a major insurer £175,000 for failing to take appropriate technical and organisational measures to protect personal data, after an employee stole 547,000 customer records that were later offered for sale on the dark web.^[22] Another insider risk is the senior executive who has been identified via a reconnaissance exercise. Once identified, a threat actor might execute a phishing campaign to entice this executive to provide sensitive information or open a document. A proactive threat intelligence programme identifies senior leaders and other key employees, including the IT team, who are likely targets. threat intelligence experts review the online footprint of these employees, putting themselves in the position of a hacker and seeking aspects of the footprint that might be of use. For example, uncovering that a particular executive plays tennis might very well lead to an attacker composing a phishing email offering a discount on tennis rackets. Once clicked, malicious software is rapidly downloaded. After doing a sweep of footprints, the threat intelligence team can advise identified employees of steps to limit the ability of hackers to gain access and educate them on how public information can be misused. Investigation is not limited to the individual only, but the social footprint of family members is of equal importance. Family members often provide a way in, and when threat actors place a senior figure under duress, the target is more likely to carry out an action to aid the attacker.

Sometimes a routine proactive intelligence scan becomes a reactive investigation. In a case involving a global travel agency, a proactive scan of the deep dark web uncovered evidence of potential fraudulent behaviour. Through further investigation, it was determined that an imminent cyberattack was underway, resulting in a large-scale reactive investigation with IR forensics and threat intelligence working in concert.

Into action: follow the Intelligence Cycle

Direction

Write a clear mission statement that sets out the goals of the cyberthreat intelligence function. Next, conduct research to understand the organisation’s cyber environment, network maps, security controls and critical assets. Carry out a maturity assessment to understand capabilities and determine what needs to be altered or further developed. Then, create a roadmap on how this is to be achieved in line with established priority intelligence requirements (PIRs).

Collection

Understand the key sources of intelligence available to the organisation, from internal tools and systems that monitor or report on the environment, or from external open feeds or enterprise solutions. Identify intelligence gaps based on PIRs. To enable collection, intelligence-sharing partnerships with industry peers may be useful.

Processing

Establish a process that details how the team will aggregate the collected data to extract the relevant information that meets the organisation’s needs. Threat intelligence platforms, both open source and enterprise solutions, are invaluable. Playbooks and standard operations procedures on how data is processed for various stakeholders, in terms of visualisations or metrics, are essential.

Analysis

Take all relevant data points into consideration using various intelligence frameworks. Retain an expert who can evaluate and interpret the data and how that relates to the stakeholder. The key question to answer is: ‘So what?’ Explain why this intelligence is relevant to the organisation and produce various intelligence products at speed and aimed at identified stakeholders.

Dissemination

Identify the recipients of and stakeholders for the various intelligence products to ensure the programme delivers value to the wider security and business functions. Build playbooks detailing how to engage with the wider business and at what cadence. Solicit feedback from stakeholders; this is invaluable and essential.

Notes