In the face of an economic downturn, if not outright recession, cyber-security budgets are being scrutinised right alongside everything else. Many CISOs question what’s being spent on Cyber Threat Intelligence (CTI). They’re forgetting – or maybe ignoring – the absolute necessity of CTI within a security operations center (SOC) environment. Funding CTI is critical for one simple reason: If you’re not worried about cyber-attacks, you’re not living in the modern world.
Existential crisis: Modern cyber-threats
Describing modern cyber-threats as potential existential threats is not alarmist; we offer here three of the most compelling reasons to treat cyber security as a sky-high priority:
- A cyber-attack can snuff out a business entirely, leaving nothing where once existed a healthy enterprise.
- The economic downturn has fueled the rise and ruthless persistence of ransomware operators, looking to capitalise on any weakness in a business.
- Remote working has expanded the attack ‘surface’ available to threat actors, leaving businesses more vulnerable to cyber-attacks than ever before.
In short, it’s a ‘Wild West’ environment of heightened vulnerability and hyper-aggressive cyber-attackers. The let’s-wait-and-see approach of the early 2000s is powerless when combating cyber-threats in this world.
What’s needed is a cyber-security approach that champions knowledge, foresight and preparation. CTI shifts cyber security from a reactive to a proactive posture and, when done right, gives the defender a ‘knowledge advantage’ over adversaries. And we all know that prevention is worth more than a cure.
Knowledge Advantage Defined
Borrowed from military terminology, ‘knowledge advantage’ stems from the supposition that success or failure within a conflict is decided by which side has the most knowledge: The side that knows the most wins the most.
Digging further into the concept, the late US Air Force Colonel John Boyd coined the abbreviation OODA:
- Observe: Observe your adversaries’ behaviours and gather insight into their tactics, techniques and procedures.
- Orient: Make sense of the observations to build up situational awareness for the decision context.
- Decide: Decide which course of action (COA) you are going to take.
- Act: Take the initiative and act.
Boyd believed that decision makers moved through their respective OODA loops at different speeds, and that whoever moved fastest would be victorious.
The OODA concept has proved just as applicable to cyber security as air warfare. While threat intelligence can input into all 5 of the OODA categories, CTI most obviously inputs into the “Observe” phase. During this phase the decision maker is most incentivized to actively seek input from intelligence professionals to aid decision making.
Knowledge in Action: The critical CTI Cog in the Security Wheel
Looking for a tangible example of how knowledge advantage works? Consider the MITRE ATT&CK framework; as most SOC teams know, it’s used to categorise gathered observations about a threat, presenting a body of knowledge that defenders can use to take action.
The MITRE ATT&CK breakdown of an advanced persistent threat (APT) actor in the figure below is a prime illustration of a knowledge advantage provided by CTI. Without tools like this, security defenders would struggle to understand what they’re up against, and stand a far lesser chance of warding off attacks.
Figure 1: MITRE ATT&CK categorisation of APT41 threat group, courtesy of Tidal Cyber
Within these tough economic times it can be hard to prioritise a security product that is less tangible than a new SIEM or SIM system; however, the spend in our view can be justified by the concept of Knowledge advantage that this blog has sought to outline.
The existential nature of modern cyber-threats demands that the security decision maker has a decisive knowledge advantage over the adversary. CTI provides that advantage, arming a SOC team with actionable facts they use to fortify an organisation. Slashing CTI budgets reduces security defence to a guessing game: Who will strike next, and how?