Role of Cyber Threat Intelligence

Cyber Threat Intelligence

Billington CyberSecurity’s 5th Innovation Round Table at the 13th Summit

Public, private, academic, and non-profit experts discussed the role and significance of cyber threat intelligence in the larger cybersecurity ecosystem at Billington’s 13th Summit in early September, 2022. The group attempted to demystify and expand the types of cyber threat intelligence (CTI), highlighted key concepts of where CTI is impacting the cybersecurity arena, and identified areas where CTI could have larger impacts if further developed and used.

The group agreed that CTI constitutes more than the commonly held belief that CTI is technical details focused on indicators of malicious activity. The group identified four buckets of CTI which included:

  • Technical: indicators of malicious activity
  • Tactical: Details related to a specific impending cyber malicious event
  • Operational: Details about bad actor tactics or infrastructure
  • Strategic: Information about changing cyber risk

The group agreed that each type has a time and place application necessary to improve the overall cybersecurity landscape and that various entities are better than others in focusing on each type in terms of collection, sharing, and use. In particular, the group agreed that an understanding and use of each at the various levels would likely have greater impacts on an organization’s cost-risk-benefit decision trees in both the private and public sectors.

The group discussed various CTI collection, sharing and use cases that highlighted both its importance and impact. The group felt that recent case studies such as PipedDream and a general increase in CISA/NSA/FBI cyber warnings showcased how moving CTI threat sharing farther to the left of the impact spectrum could significantly alter how both the private and public sectors protect themselves. While they felt more of this sharing was warranted, they also believed that greater sharing of incidents within the cyber community would significantly provide better and up to date risk information, ultimately leading to more relevant CTI sharing from the intelligence and law enforcement communities.

The group also discussed how a greater emphasis on public-private engagement beyond CTI sharing could significantly improve the overall US cybersecurity posture including greater collaboration in such areas as predictive data modeling, building a common CTI vocabulary, and automating CTI sharing directly into cybersecurity systems. The group believed more analytic collaboration in addition to CTI sharing would provide a better collective understanding of risk and lead to more refined sharing leading to better proactive cyber hygiene, greater recognition and prioritization by senior organizational leaders of why cybersecurity was important, leading to both greater security and productivity.

In addressing the challenges of the future, the group focused on what was currently holding the overall community back from more effective collaboration. Focal points of discussion included continued unwillingness by some private sector organizations to highlight incidents due to the fear of exposing themselves to litigation, continued struggles to balance intelligence sharing with protecting sources and methods, and continued uncertainty in how to collaboratively engage legally and equitably as key areas to continue to work on to improve the overall engagement arena. The group did laud recent developments such as NSA’s Cyber Threat Collaboration Center and DHS’s Joint Cyber Defensive Collaborative as steps in the right direction, but noted that broader collaboration particularly with smaller and mid-size companies would only improve these areas.