Security Experts:

Crafting Your Cyber Threat Intelligence Driven Playbook

Threat Intelligence Playbook

The concept around cyber threat intelligence is that it should be used to drive better security decisions and as a result better outcomes.

Intel provides insights so that decision-makers are well-informed of their risk, relevant impending threats, the potential impact and the best course of action to take to ensure the best cyber defense. There are many different approaches to threat intelligence, from the type (strategic, operational, tactical/technical) to the delivery (feed, software, full-service solution) to the processes and people involved to create and consume the intel.

 My last several articles categorized and drilled down into the different areas of threat intelligence, and now I want to shift into more of an outcome-oriented discussion. I say outcome as opposed to action because actions are just work… the real value of good threat intelligence is seen when you can change an outcome for the better. A good way to operationalize your intel is to go through different real-life scenarios and put together playbooks that document out how you will manage security challenges based on the intel provided.

Let’s start with an easy example and discuss a security challenge you want to defend against such as phishing. Intel can show you what the top malware variants are as well as the most common payload delivery mechanisms associated with them. Most phishing attacks typically have used spear-phishing techniques that deliver a payload that exploits document macros in order to gain unauthorized access or deploy a ransomware variant. Therefore your playbook should reflect (beyond blocking the emails) efforts that halt the ability for the payload to be delivered which therefore means stop the macro from executing. 

The desired outcome is to remove the opportunity that you present for these threats to take advantage of - without opportunity there is no threat. In this example, typically there is a required “User Interaction Point” in the form of the user enabling a macro in order for the payload to be delivered - by removing the user interaction point you can mitigate the threat. Keeping with this example, your playbook should call a play to halt payload delivery by removing the user's ability to initiate a macro.  

When I use this “macro” example in discussions or presentations the first thing I ask people is when was the last time they used a macro? Except for a handful of CFOs that I’ve met over the years, the common answer is very rarely if ever. To be honest in the 20 years I have been working in the technology field I have yet to ever use a macro in any shape or form. The point of all this is to highlight that the user impact to removing the ability to kick off a macro is small. 

So how do you go about halting payload delivery by disabling a tool that is barely used by your user population? Easy - you push a GPO that has been around for a while. You can refer to this post: For users that have a need to use macro’s, generate a digital signature for that user base and digitally sign them so they are trusted.   

If you understand what these threats are exploiting, and know your environment, you should be able to map out the most effective countermeasures. Each organization should look at countermeasures in terms of what is relevant to them. The level of effort and cost to implement as well as the threat impact potential may be different per organization. Mapping this out though can help you prioritize the countermeasures to deploy. In this scenario the play called had a high level of impact to the threat, a low impact to the user, and a low cost to deploy.

Additionally, your playbook should go beyond countermeasures to proactively prevent bad things from happening… it should also include incident and breach response process because ultimately you cannot prevent every threat. Having intel play a role in your IR/BR process can help speed the response, improve the effectiveness of that response and also loop back into your countermeasures to help prevent future attacks. Run through the different scenarios and options to consider so that it is well-thought out, agreed upon and reacted to as quickly and effectively as possible.

With sound cyber threat intelligence informing these plays in your book, you have practical methodologies to both proactively mitigate and more quickly and effectively respond to specific threats.

view counter
Adam Meyer is Chief Security Strategist at SurfWatch Labs. He has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, he was CISO for the Washington Metropolitan Area Transit Authority. He formerly served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands. Mr. Meyer holds undergraduate and graduate degrees from American Military University and Capitol College.