Reducing Friction in Cyber Threat Intelligence: Views from a Director of Advanced Cyber Practices

Cyber threat intelligence (CTI) exists in a difficult space for many organizations. The field is large and can overlap with other teams, each organization is likely to have individual intelligence requirements, and there is not always a clear path forward for organizations following security incidents.

To share her insights, Casey Beaumont, Director of Advanced Cyber Practices, Marsh McLennan, joined Eli Woodward on the Future of Threat Intelligence podcast. In a wide-ranging discussion, they talked through eliminating resource allocation friction during incidents, handling vendor breaches, the importance of community, and more. 

How to Reduce Friction With Unified Leadership

In times of crisis—such as during an active incident—organizations need to be able to act nimbly and cross-functionally. An investigation may require an all-hands mentality using analysts across teams, including penetration testers, incident response, vulnerability management, CTI analysts, and more. The last thing you want to worry about during an incident is bureaucratic stumbling blocks of pulling employees or resources from another team onto an ongoing emergency. 

Having a unified team greatly reduces friction, Beaumont says, noting that she oversees a CTI, threat hunting, red team, and incident response teams. By consolidating these groups under unified leadership, questions of resource allocation friction during an incident is largely eliminated. 

Unified management has the added advantage of reducing siloes and increasing visibility across teams, allowing for focused work and less doubling up of specific activities—such as having a CTI analyst and a vulnerability manager duplicating work regarding a specific vulnerability investigation. 

How to Carry out Vendor Breach Assessments

The risk of vendor breaches is often part of the cost of doing business. As such, Beaumont argues that a vendor having a breach should not in-and-of itself be a disqualifying event.

“If you asked a vendor every time they had a breach, you'd have no vendors left," Beaumont told Eli, noting that a vendor who claims to have never had a breach may either have not had a legal reason to disclose one or may simply be unaware of their own security environment. 

So, instead of treating breaches as automatically disqualifying events, Beaumont suggests organizations ask vendors four main questions following a breach to get a better sense of their security practices: 

• What control gaps led to the breach? This helps provide an understanding of what happened and how the event occurred.
• Did the attackers gain persistence? This provides details on if the vendor is still compromised. 
• Was any Marsh McLennan data exposed or exfiltrated during the course of the breach?
• What is the vendor doing about control gaps? This helps evaluate a vendor’s security mindset, their maturity, and how seriously they take rectifying security issues. 

Why Community is Paramount in Cyber Threat Intelligence

Beaumont notes that Marsh McLennan is a large organization, so it has a certain amount of leverage when asking vendors these questions. Smaller organizations, such as a regional credit union, may not have as much of a capacity to ask or get answers from a vendor. In such cases, the value of joining information security groups is apparent. 

In the case of a regional credit union, they may not have much leverage to talk to a vendor. But if that credit union was part of FS-ISAC, the credit union could get significant assistance and leverage in questioning the vendor about a security incident. 

While true at an organizational level, the value of community is also apparent at the individual level in CTI. Beaumont shared a story about how her team was tipped off about Scattered Spider registering domains 20 minutes before the group started targeting colleagues’ personal cell phone numbers. This tip, which came from a personal connection, allowed Marsh McLennan to start taking proactive measures to mitigate the incident. 

Much of a CTI analyst's work, Beaumont notes, goes beyond simple tooling. The difference between a good and a great analyst, she thinks, is in how well an analyst can build knowledge sharing networks and communities. 

You can listen to the entire podcast at Apple podcasts, Spotify, YouTube, or on the Team Cymru website.