Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

Module 3 examines an organizational approach to CTI which can be characterized as its "perceptions" of CTI. It comes down to how an organization decides to act in light of the risk intel that is collected and presented on its behalf. This is referred to as risk analysis and at its core, is what keeps an organization healthy. Threats must first be defined and then examined both in isolation and together. Some real threats may not be relevant to an organization such as a virus targeting Mac in a Windows organization. There is both positive and negative risk. Positive risk is typically knowingly undertaken by an organization such as buying a smaller competitor. The potential for gain typically outweighs that for loss. Conversely, with negative risk such as with a vulnerability, sometimes the risk is also worth taking is the cost to mitigate it exceeds that value of the asset under threat. Risk can also be transferred via insurance or the outsourcing of securtiy. CTI is an investment and requires training, financial expenditure along with a multitude of decisions from undertaking automation to determining if an identified threat is actionable.

Video Transcription

00:04
Hello and welcome to the next module. Cyber Threat. Intelligence Perceptions.
00:09
This march, we're gonna cover the different concepts of threat
00:13
and risk
00:14
what kind of analysis you might be interested in
00:18
and a little bit more about
00:20
indicators of compromise. The perception of several intelligence is important, right, because this
00:26
is how an organization or the organization's leadership
00:30
decides to
00:32
act when
00:34
threat information risk information is made available.
00:37
Risk based decision making is a large part of
00:42
keeping an organization healthy from a cyber security perspective.
00:48
So you think, hear about defining threats to begin with,
00:52
You can say that it's an agent or entity. The exploits of vulnerability. That's a pretty common definition.
00:58
Uh,
00:59
we can also think about a threat really standing on its own,
01:03
because there may not always be a associated vulnerability.
01:07
That's why,
01:08
ah, good
01:11
brisk analysis model
01:12
uh, that's been used for quite a long time is the idea of like a
01:18
ah threatened vulnerability pairing or risk register?
01:22
And what this allows you to do is to consider threats of vulnerabilities in isolation as well as
01:27
with a correlation.
01:30
For instance, you might discover that there's a threat
01:33
through some of your monitoring or through some of your threat feeds that come from vendors or from open source
01:40
time
01:42
providers.
01:42
And the threat may be serious,
01:46
but it may not be relevant.
01:48
Real simple example might be something like You're looking at some of your favorite websites and you see oh, there's a
01:53
a major threat.
01:56
Two
01:57
Mac OS systems
02:00
Your organization may not be using any apple products.
02:04
Maybe Maybe you're completely standardized on Microsoft
02:07
like herself, Windows.
02:09
In that case, the threat is still really still important.
02:13
But it's probably not gonna be relevant to your organization because
02:16
there is no
02:17
pathways
02:20
into your,
02:21
uh,
02:22
existing assets
02:23
that would be vulnerable to this threat.
02:27
On the other hand, sometimes you might discover you have a vulnerability or some kind of weakness.
02:31
The
02:32
the idea there would be that you should also understand what is the associated threat that might take advantage of this weakness.
02:40
There may not always be a threat. That's that's known at the time that the vulnerabilities discovered. So
02:46
it's an important part of risk analysis
02:50
going basis.
02:51
You always think about threats and vulnerabilities being paired together.
02:54
We also need to think about what is a good definition of risk.
03:00
We know that there is positive risk and negative risk.
03:02
Sometimes people have, ah, strange reaction when they see the term positive risk.
03:08
But what positive risk really means is that it's a risk worth taking.
03:14
A good example might be an organization that decides
03:16
that they'd like to buy one of their smaller competitors.
03:22
So the larger company
03:23
wants to get access to the smaller companies product or their technology or there
03:29
customer base, for instance.
03:31
And there is risk involved
03:34
because there there's a financial outlay to to buy that smaller company,
03:39
which means that money cannot be used for other purposes,
03:43
including maintaining enhancing
03:46
a cyber security program.
03:50
So
03:51
other risks might, in this kind of scenario, might be that the smaller company
03:55
has some internal problems, maybe with management. Or
04:00
maybe they have a
04:01
properly vented their employees. There might be some risks
04:04
associated with the personnel themselves.
04:09
Or maybe there are hidden problems with their technology and so on,
04:13
so those risks are all quite obvious.
04:15
But this could still be considered a positive risk because the larger company, when it successfully purchases a smaller company and they integrate themselves with each other.
04:26
The larger company would be expected to make more profits and to grow their customer base and someone
04:31
there are other types of positive. That's an easy one. Thio. Get your mind around
04:36
Negative risk is a little bit more straightforward, right?
04:40
Negative risk
04:41
implies that taking this action or rather even not taking some action
04:46
is expected to have negative consequences. Is expected to reduce security, for instance, or cost more money.
04:53
They're different ways of looking at that.
04:56
Another way to to to, uh,
05:00
summarized, the idea of risk is to think about
05:02
what can we gain or what can we lose by taking this action?
05:05
Or, conversely, what could he gain or lose by not taking an action?
05:11
Sometimes risk response is to do nothing,
05:14
and that's appropriate in those situations where there may not be any
05:19
action that's affordable or realistic.
05:24
So it's good to have a multi sided view of what risk really means
05:30
to understand. It's different types of contexts.
05:33
We can also think about,
05:36
you know the risk responses themselves.
05:40
Accepting risk, for instance,
05:42
means that
05:44
there's well, there's several scenarios where you might accept risk.
05:46
One might be that the cost of the remediation.
05:49
The cost of the countermeasure
05:51
exceeds the value of the assets.
05:55
In that case, accepting risk is is the usual response
06:00
an organization but also accept risk.
06:02
If there is no possible remediation,
06:05
the threat might exist. You know, like to use an extreme example. Let's say there's a threat of
06:12
a large meteor hitting your warrant. You're building your physical infrastructure.
06:17
Sure, there is a threat that that could happen at some point. Meteors do hit
06:23
buildings occasionally,
06:26
but what is the possible remediation is practical. To bury your organization underneath
06:31
hundreds of yards of topsoil,
06:34
you're rather hundreds of feet underground.
06:36
That may not be realistic, so in that case you accept the risk because
06:42
the threat is so hot
06:44
unlikely to happen
06:46
that it's probably better overall to just hope for the best end.
06:49
Accept that risk.
06:51
30. It's for accepting risk would be. When the risk is measured, it's determined that it's within the acceptable
07:00
risk threshold.
07:01
Sometimes this is referred to as a
07:03
a risk appetite
07:05
because an organization can decide to engage in risky behavior,
07:11
positive risk, of course,
07:13
or even negative risking my factory
07:15
and the appetite for risk
07:16
is usually defined by your top level leadership.
07:19
Their philosophy of management, the governance model and so on
07:25
would indicate how large the risk appetite really is.
07:29
And for organizations that are run very conservatively, the risk appetite wouldn't be expected to be smaller.
07:35
Just makes sense.
07:36
So what are the other options for risk?
07:40
We could think about
07:42
ignoring a risk, which I've already touched on a little bit.
07:46
I could also think about
07:48
trying to transfer a risk.
07:50
And there are two ways to transfer risk
07:54
the 1st 1 That's why we used is to buy insurance.
07:58
This is simple to understand you by auto comprehensive coverage for your automobile You by homeowners Insurance life insurance,
08:07
these airways to transfer some risk to another party.
08:11
Another method for transferring risk or for sharing risk
08:13
is to outsource.
08:16
For instance, an organization might decide that they do not have the
08:20
expertise to handle certain types of cyber security operations like Incident Response
08:26
or
08:26
or they don't have the expertise to do things like pen testing.
08:30
For instance,
08:31
they might hire 1/3 party to do this for them,
08:35
thereby transferring some of the risk to the other organization
08:39
other things to think about would be trying to put cyber threat intelligence into the bigger picture.
08:46
What is its real purpose in your organization? And how should it be utilized
08:50
in order to get the most benefit from that investment?
08:54
Because, inevitably, setting up a sucker threat intelligence
08:58
function within your organization is going to cost money.
09:01
It'll be staffing to consider hiring
09:05
people with the appropriate training and credentials and so on.
09:09
Sending people to training
09:11
is usually
09:13
something that would be considered because you may not
09:16
have the expertise at the level where it's required. Some people need to
09:20
additional training to get up to up to the next higher level of
09:24
ah functionality.
09:26
In addition, there might be hardware and software required. Additional service is that the organization decides to engage in
09:33
these all cost money,
09:33
and there's some risk associated with,
09:35
uh, expanding the financial aspect of
09:39
C T. I program.
09:43
However, the benefits are pretty obvious. If you've got dedicating analysts that are actively monitoring security controls, actively performance monitoring your systems and networks,
09:54
then they can look for threats on a more regular basis. Ideally, you want as much of this activity to be automated as possible, using you know, sim devices, for instance, I've GPS that we talked about in an earlier model.
10:07
These are great solutions to take the burden off of humans
10:11
because humans are better at making decisions on
10:16
when you've got different kinds of information that need to be sort of considering and thought through.
10:22
What we're not so good at is doing repetitive,
10:26
um,
10:28
tasks that require ah, you know, very
10:31
high levels of focus.
10:33
You could do that for a short period of time, but as we all know, it's very easy to get burned out
10:37
doing repetitive tasks that require intense concentration.
10:41
And it's too easy to start making mistakes. So we want to automate as much as possible.
10:45
So beyond the idea of identifying threats
10:48
and making their their presence known to analysts. And you're
10:54
your sock or your knock, for instance,
10:58
incident response must play a vital role here
11:01
because it's only going half the distance. If you just
11:05
discover a threat and send out an alert,
11:07
someone needs to look at that information and make a decision. Is this
11:11
the threat that's that's worth investigating further?
11:16
Is it relevant is incredible.
11:18
What should our incident response team do,
11:20
you don't want to invoke the incident response function more often than it's actually needed.
11:26
As I mentioned earlier discussion, there is that danger of being a little bit oversensitive to certain kinds of threats,
11:33
and crying wolf off a little bit too often can have
11:37
negative consequences.
11:39
So they used to be a balance
11:41
and some kind of determination to say, OK, we've got certain criteria that have been Matt.
11:46
Now this constitutes a threat where incident response functions must be invoked.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor