In a recent interview with Help Net Security, Jason Passwaters, CEO of Intel 471, delved into the importance of integrating cybercrime intelligence into an organization’s security strategy for proactive threat management. By staying ahead of adversaries, businesses can prevent security incidents or minimize their impact if they occur. Cybercrime intelligence acts as a crucial tool in providing insights to address security concerns before they escalate into major incidents. Passwaters emphasized that while intelligence alone is not a cure-all, it can significantly reduce response times and inform the nature of the response in the event of a security breach, thereby minimizing business impact and financial losses.
Measuring the effectiveness of intelligence efforts can be challenging, as it involves assessing events that were prevented or never materialized. However, by understanding the risks to the business, their potential impact, and the critical questions needed to mitigate these risks, organizations can adopt a systematic approach to measure effectiveness. Programs like the General Intelligence Requirements (GIR) framework and the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) can help establish a foundation for measuring the success of intelligence efforts by evaluating how frequently and efficiently key questions are addressed.
When it comes to data sources for cybercrime intelligence, Passwaters stressed the importance of coverage of adversaries through historical and real-time data sources. Valuable information can be obtained from platforms where cybercriminals communicate and trade, such as social networks, chatrooms, and forums. Technical coverage, on the other hand, requires visibility into the tools used by adversaries, which can be achieved through malware emulation across different malware families deployed by cybercriminals.
Passwaters also discussed the categorization of cyber threat actors and the key indicators used to identify them. Intelligence on adversaries and their tactics enables organizations to proactively evade cyber attacks. Adversary Intelligence, obtained through focused collection and analysis, provides insights into the methodology of top-tier cybercriminals, including their target selection, tools, associates, and enablers. This intelligence is essential for fraud, risk, security, and incident response teams to respond faster and protect against cyber threats efficiently.
In terms of sharing cybercrime intelligence between private sector organizations and law enforcement agencies, Passwaters recommended establishing clear internal guidelines and standard operating procedures. Intelligence sharing should adhere to the Traffic Light Protocol (TLP) to control dissemination appropriately and ensure the protection of sources and methods. Sharing should be purpose-driven, focused on countering threats or enabling others to do so, rather than sharing for the sake of it.
For organizations looking to strengthen their cybercrime intelligence capabilities, Passwaters emphasized the importance of understanding the business first. Intelligence practitioners should engage with stakeholders to identify significant risks and establish a requirements-driven program. It is essential to prioritize building a solid foundation before investing in technology or expanding personnel. By following frameworks like the GIR framework and the CTI-CMM, organizations can enhance their intelligence capabilities effectively and efficiently.