Maximizing the impact of cybercrime intelligence on business resilience


In this Help Net Security interview, Jason Passwaters, CEO of Intel 471, discusses how integrating cybercrime intelligence into an organization’s security strategy enables proactive threat management and how measuring intelligence efforts can help mitigate risks before they escalate.

Passwaters also shares best practices for building a robust intelligence program, focusing on data sources, adversary identification, and collaboration between the private sector and law enforcement.

How does integrating cybercrime intelligence into an organization’s security strategy help in proactive threat management? How can organizations measure the effectiveness of their cybercrime intelligence efforts?

The majority of businesses will be affected by cybercriminals in some way. Those that are unprepared could suffer massive impact to their business. Those that are prepared can either prevent such incidents entirely or respond to minimize their impact. Cybercrime intelligence enables you to keep your finger on the pulse of the adversary, providing the insights needed to address security concerns proactively before they escalate into full-blown incidents. However, intelligence alone is not a silver bullet. In the event of an incident, cybercrime intelligence can significantly reduce response times and inform the nature of the response, dramatically minimizing both business impact and financial losses.

Measuring the effectiveness of intelligence is a common challenge, as it can be difficult to assess the impact of events that were prevented or never occurred. However, given a deep understanding of risks to your business, the potential impact if realized, the critical questions that must be answered to mitigate these risks and adequate coverage of the adversary, organizations can adopt a programmatic approach to measuring effectiveness and overall value. It becomes a matter of evaluating how frequently and effectively your intelligence efforts address the essential questions needed to mitigate risk and minimize impact.

In the intelligence field, this process revolves around building a requirements-driven intelligence capability, which forms the foundation of any successful program and provides a framework for measuring its effectiveness. To support this, tools such as the General Intelligence Requirements (GIR) framework and the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) have been developed to help organizations establish this foundational approach. By consistently monitoring and measuring how often—and how effectively—these key questions are answered, organizations can better gauge the success of their intelligence efforts.

What are the primary data sources for cybercrime intelligence?

An intelligence capability is only as effective as its coverage of the adversary. A robust program ensures historical coverage for context, near-real-time coverage for timely responses to immediate threats, and depth of coverage for sufficient understanding. Cybercrime intelligence coverage encompasses both human and technical data. Valuable sources of information include any platforms where cybercriminals gather to communicate, coordinate, or trade, such as social networks, chatrooms, forums and direct one-on-one interactions.

Technical coverage requires visibility into the tools used by adversaries. This coverage can be obtained through programmatic malware emulation across the full spectrum of malware families deployed by cybercriminals, ensuring comprehensive insights into their activities in a timely and ongoing manner.

How do you categorize cyber threat actors, and what key indicators help identify them?

Cybercriminals launch cyber attacks for monetary gain with increasingly significant and harmful effects on business operations. Timely and relevant intelligence exposes these adversaries and their tools, techniques, and procedures (TTPs) empowering organizations to be proactive in evading these attacks.

Adversary Intelligence is produced from a focused collection, analysis and exploitation capability and curated from where threat actors collaborate, communicate and plan cyber attacks. Obtaining and utilizing this Intelligence provides proactive and groundbreaking insights into the methodology of top-tier cybercriminals – target selection, assets and tools used, associates and other enablers that support them.

Adversary Intelligence satisfies business-critical operations. Intelligence, fraud, risk, security and incident response teams need sophisticated and professional intelligence capabilities that allow them to respond faster, defend proactively and protect efficiently. As these insights reveal top-tier cybercriminals and their operations, tracking the most sophisticated and successful cybercriminals requires placement and access within the cyber underground and local contacts where they operate. This requirement cannot be solved solely with technology or data scraping without experienced intelligence professionals is a partial solution.

What are the best practices for sharing cybercrime intelligence between private sector organizations and law enforcement agencies?

Organizations should establish clear internal guidelines and standard operating procedures for sharing intelligence with private sector entities and law enforcement. The intelligence community (IC) operates under the guiding principle of protecting sources and methods at all costs. The private sector intelligence community follows a similar philosophy. An intelligence sharing program should ensure that sharing does not introduce legal or other risks to the business, safeguards sources and methods, adheres to vendor agreements and maintains trust with established trust groups and colleagues.

All information sharing should align with the Traffic Light Protocol (TLP), developed by FIRST, to ensure controlled and appropriate dissemination. Additionally, sharing activities should be carefully tracked, documenting when, what and with whom information was shared for future reference.

Lastly, intelligence sharing should be purpose-driven, focused on countering threats, stopping immediate attacks or enabling others to do so—not merely for the sake of sharing.

What advice would you give to organizations looking to strengthen their cybercrime intelligence capabilities?

The key to a successful intelligence program lies in a deep understanding of your business. Intelligence practitioners should be empowered to engage with stakeholders across the organization, gaining insights into its operations and identifying the most significant risks. This knowledge allows for the establishment of a solid foundation through a requirements-driven program that defines relevance, sets priorities, and aligns efforts with what matters most.

Organizations should focus on building this foundation before investing in specific vendor feeds, threat intelligence platforms, additional technology, or even expanding personnel. Prioritize finding the right intelligence architect to design and guide your program, ensuring the cart doesn’t come before the horse. Failing to do so can lead to wasted resources, costly rebuilds, and, in the worst-case scenario, leadership becoming disillusioned with threat intelligence, ultimately missing out on its positive impact on the business. As previously mentioned, the GIR framework and the CTI-CMM are great starting points.



Source link