Applications for Cyber Threat Intelligence in SMBs (with Evie Manning & Michael Rush)

Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.

Hancock began by noting that the whole notion of threat intelligence presents difficulties for smaller companies that lack the resources available to larger enterprises. With that, he promised that the conversation would be practical, offering information and advice that CISO and company owners can use to build a function that is critical for effective cybersecurity.

Coming to Terms

Manning pointed out that cyber intelligence is data that's collected, processed, and analyzed by a company's analysts in order to understand a larger picture. They're trying to understand threat actors' behaviors, targets, and motives to drive faster, more informed, data-backed security decisions. Ultimately, effective cyber intelligence will allow a company to move from a reactive approach to cybersecurity to a proactive state.

Rush added that the key point is to have intelligence that a company can act on. This kind of information, he said, can range from broadly strategic to very specific TTPs (Tactics, Techniques, and Procedures) associated with individual threat actors. This characteristic of being acted upon, Hancock said, is a key difference between data and intelligence. Solid cyber threat intelligence provides information that lets a company be ready for a threat rather than simply reacting to the threat after the fact.

A Critical Part of the Whole

For cyber threat intelligence to be useful, the group agreed, it has to be part of an overall cyber strategy for a business. What assets does the business have—what is it trying to protect? Understanding those business assets, Manning said, is a great place to start.

Understanding the business itself is also critical, said Rush, because there is so much data that comes to an organization that has started a cyber threat intelligence program. Some of the threat information from various sources might well cover campaigns that target different types of companies and pose no threat to yours—it's important to know what can be ignored.

One thing that can't be ignored, though, is a company's supply chain. Hancock noted that supply chain breaches can have an outsized impact on a company and its ability to operate. Rush pointed out that most companies have multiple supply chains and the software supply chain can be a particularly tempting target for threat actors. The good news, Manning said, is that there are tools available to help assess and manage third-party risks. The bad news is that these tools must be understood and managed to be effective.

Making the Proactive Step

Every company wants to get ahead of the threat curve, said Manning, but part of a defense's nature is to be slightly behind at least some threat actors. While that's true, Rush said, being proactive doesn't always mean stopping an initial intrusion: it can mean discovering and responding to the attack while it's still in the initial reconnaissance phase.

Still, it's important to understand the intelligence and use available tools so that an organization's security analysts don't fall victim to alert fatigue. Sharing intelligence among analysts and sharing internally generated reports will help keep a team from re-investigating the same signals over and over again.

Asked about the most important take-aways, Rush said that a focus on TTPs is critical—what is being done is far more important than who might be doing it. And Manning reminded listeners that they have to look internally first. What do they care about, what are their capabilities, and what are their risks? From there, they can start to build out a proactive cybersecurity practice.

Resources

Trending Articles & Security Reports