Authored By: Andrew Dillin, Threat Intelligence Lead – Cyber & Physical at NatWest Group
A question posed to me following an earlier LinkedIn post of mine.
Is there a good way of working out if you are being targeted more than your peers? How sustained or capable the threat is etc?
Organizations will normally have a good view of their own threat landscape and an understanding of threats being faced. So what do you need to be able to do this effectively and at scale?
There are a few core elements required –
1. A strategic threat intelligence provider enhanced with other sources to enable threat actor alignment to Indicators of Compromise (IOCs).
2. A Threat Intelligence Platform (TIP) with built-in SOAR capabilities
3. Effective log management across the organization, which can be queried by the TIP
The key part now is to make all three of these components work in harmony.
Identify high-fidelity IOCs for threat actors that are known to target your sector. This allows a more focused initial view of your threat landscape and can be built out once the matching capacity is understood. Take your data set and run these actively against your security logs, enabling observation data to flow back into your TIP. This method can be open to challenge as IOCs could be for shared threat actor infrastructure, but it should be taken as a caveated view of threat groups that are potentially focused on your organization. Running this over time strengthens the understanding and, once broadened, gives wider visibility of potential unexpected threats.
So, we now understand the threat that the organization faces, but how can you assess if other organizations are facing the same threats? The key to this is bi-directional intelligence sharing.
Ensure that you support your peers and share intelligence through multiple sharing networks to build a wider picture of targeting.
What next, and how is this linked to Strategic Risk Quantification…
Once you have identified your top 10 threat actors it’s now time to explore Cyber Risk Quantification (CRQ). Leveraging your own intelligence and TTPs from MITRE ATT&CK, you can start to map your control effectiveness. The use of red/purple team testing reports can help support your assessment of control effectiveness. Calculating the likelihood of attack and effectiveness of controls can help drive an overall likelihood of success.
The value of this work allows you to focus control investment in weaker areas. Once the CRQ programme is matured it is beneficial to bring in financial data and agree risk appetite measures. Running cyber scenarios across your business lines based on the most commonly faced threat can support here.
Once in place, this activity allows a clear understanding of the cost of enhancing the control and the overall reduction in risk cost to the organization.
Threat Intelligence has broader benefits and should be viewed as the Swiss Army Knife of the Security function.
About the Author: Andrew has over 12 years of experience in fraud and banking security and is now responsible for leading NatWest Group’s Cyber Threat Intelligence function. A respected member of the intelligence community, Andrew’s focus has been on automating intelligence and improving security controls to proactively mitigate cyber threats. He is passionate about collaborating with others and promotes the sharing of security threat information across the financial sector.