Today, we are launching our new section "Make it Real," aimed at providing a practical implementation guide for a security measure or a specific requirement from the main security frameworks.
For this first edition, we will focus on a key measure from the new version of the ISO27001:2022 standard, namely: Threat Intelligence (A.5.7).
Let's have a look on the title of this control: "It is appropriate to collect and analyze information related to information security threats in order to produce threat intelligence." In terms of clarity, we're not doing so well, are we? 😇
To help us, let's take the example of a hypothetical company that we'll call Stroop. Stroop is a young tech company that develops SaaS software in the HR market and has about thirty employees (HR tech, you know it). Their platform is hosted on a typical cloud architecture and is accessible via web and API. Their technical stack is again quite standard, including front-end, back-end, CI/CD, and some vulnerability scanning on dependencies - all very typical.
Step 1 - Collection and Analysis
For Stroop (as for others), implementing a cyber threat intelligence strategy will involve setting up a system for collecting and analyzing information that will allow them to detect and understand potential risks to their IT infrastructure.
The first step is to identify where and how relevant information can be collected.
For Stroop, this could mean:
Automated Monitoring: Implementing monitoring tools that continuously scan cybercrime forums, the dark/deep web, security flaw reports, and vulnerability databases to alert the company of emerging threats that could target the technologies they use.
Security Alerts: Subscribing to security alert bulletins specific to their industry. Sources can be varied, but examples include:
Software and hardware security bulletins: Major software developers and hardware manufacturers regularly publish security bulletins about their products.
Alerts and bulletins from government agencies: Organizations such as ANSSI, CISA, NCSC, CERT(s), BSI (Germany), ACSC, CCCS are valuable allies and regularly publish security alerts.
Security research institute reports: Institutes like Symantec, McAfee, Kaspersky, Fireye, IBM X-Force publish periodic reports on cyber threat trends.
Information Sharing and Analysis Centers (ISACs): These groups allow companies in the same sector to exchange information on threats and best security practices.
Online security forums and communities: Platforms like Reddit, StackExchange, and specialized forums where security professionals discuss the latest threats and share advice.
External Collaboration: Participating in Information Sharing and Analysis Centers (ISACs) where companies in the same sector share intelligence on threats and best practices.
Once information is collected, it must be analyzed to determine its relevance (and handle redundancies!). For example, if a new vulnerability is discovered in a technology widely used in the organization's technical architecture, Stroop will need to assess whether its products or infrastructure are affected and, if so, measure the urgency of a security update.
Step 2 - Categorization of Threat Intelligence
At this stage, it's not yet about patching your machines or systems wildly; it will first be necessary to assess the degree of urgency (exposure surface), the degree of impact (sensitivity of the exposed assets), and the probability of occurrence (ease of execution). To do this, Stroop can use a scale (such as the one from risk analysis) to frame the analysis. Caution: remember to properly document the result of your analysis to constitute a piece of evidence and enrich your internal knowledge base!
💡The little extra: It could be relevant at this stage to write a security bulletin to be published on a document management platform (like Notion or Confluence) to warn the community (employees, partners, stakeholders) of the existence of a new threat under investigation. This will have the effect of increasing everyone's vigilance and contributing to the security culture within the company.
The first step in our analysis process: categorization. We could break it down into 3 categories:
Strategic
These insights encompass high-level information about global cyber threat trends. Take, for example, an annual cybersecurity report indicating an increase in phishing attacks targeting technology companies. Stroop could use this intelligence to raise employee awareness and revise its security policies, thus preparing the company to defend against these types of attacks.
Tactical
At this level, Stroop would focus on the methods used by cybercriminals. Imagine a specific vulnerability was discovered in a software component used by the organization. Tactical intelligence would allow Stroop's team to understand how this vulnerability could be exploited and to take steps to fix it before an attack occurs.
Technical
This intelligence is very detailed and technical, such as a virus signature or the exact method used to exploit a vulnerability. If a new type of malware is detected by the computer security community and Stroop recognizes this malware's signature on its systems, the company can then react immediately to isolate and eliminate the threat.
The key is to understand that these three layers of intelligence are not isolated; they complement each other. It's like a doctor who needs to know the symptoms of a disease (strategic), how it spreads (tactical), and the specific treatments to administer (technical).
In practice, this means that Stroop must not only be attentive to the evolution of threats at a macro level but also remain vigilant to the technical details that could have a direct impact on its operations. This involves training specialized employees or partnering with external security experts who can help interpret intelligence in a way that informs security decisions.
The categorization of threat intelligence is a dynamic process that requires a balance between strategic vision for information security and the ability to act quickly and knowledgeably in the face of specific threats. It's a demanding task but essential for maintaining the security of the company's digital assets.
Step 3 - Relevance, Contextualization.
Now that you have sorted the information, the crucial step is to project this threat onto your organization. Contextualization involves interpreting threat intelligence in light of Stroop's specifics.
This means understanding not just the nature of the threats but also their relevance to the company's specific environment. For example, if a new vulnerability is identified in widely used software, Stroop assesses the potential impact on its systems and determines the threat's criticality based on its own use of the software.
Relevance: Stroop must filter information to retain only what is truly relevant to its operations. For instance, a threat specifically targeting e-commerce platforms might be less relevant for a company focused on mobile app development.
Contextualization: Suppose Stroop learns about a new security flaw discovered in a popular framework it uses. The raw intelligence - the discovery of the flaw - needs to be contextualized: How does this affect its specific products? Have there been any reported exploits? Contextualization allows understanding not just what the threat is, but also its potential and immediate impact on the company.
The relevance and contextualization of threat intelligence are not just about gathering information; it's about filtering, analyzing, and acting on this information in a way that effectively protects the company. Ultimately, it's this ability to interpret and act on intelligence that will strengthen Stroop's overall security posture.
Step 4 - Action on Threats Intelligence
Once the intelligence is contextualized, Stroop may need to take action. Here's how the company could organize itself:
System Updates and Patching
Patch Evaluation: When new updates or patches are available, Stroop evaluates their relevance to its systems. This evaluation considers the criticality of vulnerabilities and compatibility with existing infrastructure.
Deployment Planning: Critical updates are planned and deployed quickly, while Stroop may opt for preliminary testing for less critical updates to ensure they do not negatively affect operations.
Long-term Vigilance:
After addressing the intelligence, the operation is not yet complete. Here are some additional actions to enhance the relevance of your implementation.
Regular Security Testing
-Penetration Testing and Security Audits: Stroop schedules regular penetration tests and security audits to assess the effectiveness of its protective measures and identify vulnerable areas. For example, Stroop specifically requests the pentester to test for vulnerabilities recently detected.
Staff Training and Awareness
Threat Updates: Stroop ensures its staff is regularly informed of the latest threats and trained on cybersecurity best practices. Note that awareness can also be achieved through tests (e.g., fake phishing).
Incident Response
Predefined Response Plans: In the event of an incident, Stroop activates its incident response plans, which will have been updated or created following the identification of a threat. These plans detail the steps to follow to contain, eradicate, and recover from a security breach.
Collaboration and Information Sharing:
Engagement with Third Parties: Stroop collaborates with other companies and cybersecurity organizations to share intelligence and best practices.
Une fois les renseignements contextualisés, Stroop doit (peut être) passer à l'action. Voici comment l'entreprise pourrait s'organiser :
CONCLUSION
In conclusion of our exploration of threat intelligence management at Stroop, it's vital to acknowledge that this collaborative approach greatly enhances knowledge enrichment and benefits the community. By gathering diverse information and contextualizing it accurately, Stroop can not only respond more knowledgeably to emerging threats but also assist other organizations in their preparedness.
However, it's crucial to emphasize that this discipline should not remain confined to a circle of experts. The simplification of these concepts and practices is fundamental for a broader understanding and participation within the organization. Every employee, regardless of their role, should have a basic understanding of cybersecurity and its impact on their daily work. This involves making information accessible and understandable, thereby transforming cybersecurity into a shared responsibility.
This approach also opens the door to deeper questions about the limits of this method. How do we balance the need to remain vigilant against threats while preserving ethical values such as respect for privacy and individual freedom? How far can we go in gathering information without crossing the line into intrusive surveillance? And how can we ensure that technology and data, although crucial in our fight against cyber threats, do not become tools for disproportionate power?