Threat intelligence as a function of a regular business returns little to no value to the organisation. The skill-sets could be better used for threat hunting and analysis which are proactive approaches to cybersecurity and have a direct positive impact to the business.
I should clarify that threat intelligence in this article is the act of identifying the threat actor. This is often done to anticipate future malicious techniques and tactics.
My opening question is this: Would your organisation change its cybersecurity posture knowing that threat actor A and threat actor B swapped their techniques and tactics that were being used against your organisation?
If the answer is no, then there is no benefit in knowing “who” is behind an attack. You already understand that it’s the attack that matters, not the “who”. If the answer is yes, then your organisation’s resource deployment is poorly managed and correcting that should be the priority.
One could make the argument that their organisation lacks the resources to focus on all aspects of their business, and that they can only focus on one aspect at a time. For that reason, threat intelligence has been unreasonably justified. That approach is like the Eye of Sauron, only looking in one direction at a time. Most organisations can implement best practices (to some degree) focused on the a spread of key areas such as authentication and authorisation, patch management, vulnerability management, policies and procedures, and management’s support. In this way, the analogy of Sauron’s Eye could be replaced with the Eye of Providence. The idea that it’s better to see everything (even if limited in depth) than to see one thing at a time (in great depth).
I started this article with the phrase “little to no value” for a typical organisation. There are organisations that
could benefit. Those are law enforcement, the military, intelligence agencies and those in that space. Those outside of that space will gain an understanding of the threat landscape and while interesting, returns far less in the way of cybersecurity defence than the proactive approach of threat hunting and preparedness.
Remember, we’re not comparing threat intelligence to general cybersecurity activities, we’re exploring how resources could be better utilised within an organisation.
Threat hunting is the act of searching for indicators of threat actor activity within the organisation. The idea being that a team of dedicated (ideally) professionals trained to identify indicators of compromise (IoC’s) are constantly on the look out. And as part of a process, can initiate mitigation efforts by the relevant teams. The IoC’s could also be as a result of penetration testers in addition to real threat actors.
Consider this analogy of police and firefighters. It is the responsibility of the fire department to prepare for fires, identify fires, respond to fires, and identify the cause of the fire. It is the responsibility of the police to apprehend the arsonist (assuming there is one) and being them to justice. There is a small amount of overlap between the police and the firefighters. For example, the firefighters may be able to identify clues that could assist the police in their efforts.
The above analogy works for the typical business, the firefighters. A business will lock doors and windows and place security cameras in an effort to protect the business. If a business is broken into and items are stolen, it make sense to hand over the security camera footage to the police. The same can apply to informational assets. Logs and other artifacts could be provided to law enforcement. Although this depends on the cybersecurity maturity of the relevant authorities. Some countries have laws that require it, while others may not have the capacity to act even in there were laws requiring it.
By shifting the threat intelligence energy over to threat hunting and analysis, an organisation can better utilise limited resources in a more effective way.