Page 23 - cdm-2014
P. 23
potential impact of information loss. Intelligence collection should be informed by an
understanding of priority assets, possible threats and vulnerabilities.
Gathering relevant information
Gathering relevant information is the first step toward generating actionable intelligence. This
activity represents the largest proportion of budget because of the effort and expense of
collecting information from diverse sources. Obtaining information about cyber adversaries is a
challenge due to the global nature of the threat and the inability of many organizations to exploit
useful information that often resides in their own systems.
The complex nature of the security threats makes it difficult to see the complete picture. It is
only through collaboration that information can be gathered together and bring into focus the
different dimensions of the problem.
Analyzing information to create intelligence
Once information has been gathered, a systematic analytical approach is critical. Three
hallmarks of this approach are highlighted here.
The ability to search and cross-reference data across multiple systems. Although this may
sound simple, many organizations do not properly store and, subsequently, interrogate
information relevant to cyber threats. Although the cost of storage may act as a heavy argument
for not doing so, the real reason is often a lack of understanding of what to look for. Mature
organizations are increasingly considering the use of analytical tools that seek to identify
potential threats by monitoring activity across systems to spot patterns, trends and suspicious
activity.
Using analytical frameworks to build threat profiles. Many law enforcement and intelligence
organizations analyze information from the viewpoints of victims, property, locations, offenders
and time. These can be applied directly to cyber threats in the following manner:
Offender: What do you know about the people/organizations responsible for the attacks and
what is their modus operandi?
Victim: Is there anything about your business operations that makes you a target for cyber-
attack?
Property: What information assets are you trying to protect and what is the perceived risk to the
security of each asset?
Location: Where (physically and virtually) are the information assets you wish to protect held?
Time: Are there any temporal patterns regarding cyber-attacks and, similarly, are your
information assets more vulnerable at certain times?
Intelligence products or reports must be tailored to the needs of customers. This requires a
mature and continuous dialogue to understand customer requirements and to regularly review
! " $ !
! # ! "
