Implementing a Threat Intelligence Program

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As part of its continued focus on cybersecurity, the Federal Financial Institutions
Examination Council’s (FFIEC) September 2016 Information Security
Handbook emphasizes the need for institutions to implement procedures for
obtaining, monitoring, assessing, and responding to evolving threat and vulnerability
information.

Institutions have typically implemented a number of preventative controls such as firewalls, intrusion prevention systems, and antivirus applications to protect their information systems. However, these systems are not always effectively managed and monitored. Even in cases where perimeter devices are well managed and monitored, it is not uncommon to see security weaknesses within the internal network such as missing patches, system misconfigurations, and default passwords. Advanced attacks may not be prevented by perimeter network controls alone and may only be identified through information obtained from external intelligence sources and by monitoring internal detection systems.

An advanced attack typically follows these general steps to achieve the attacker’s goal:

1. Active and passive reconnaissance is performed to learn about the target organization and to identify weaknesses.
2. Based on the identified weaknesses, the attacker obtains or develops malicious code and attempts to deliver this code to the organization through social engineering techniques, exploitation of vulnerable services or applications, or other means.
3. If the attacker is successful, malware and/or backdoors are then installed on the organization’s systems for the attacker to establish control.
4. If needed, privilege escalation is performed through exploiting vulnerable systems or misconfigurations.
5. The attacker performs the intended activities, such as data exfiltration from the organization’s information systems.

To comply with the FFIEC’s guidance, financial institutions must implement a Threat Intelligence Program that documents the following:ƒƒ

  • Employee Responsibilities. Employee responsibilities for monitoring, analysis, response, and reporting should be clearly defined to ensure accountability and appropriate approval for any recommended changes. In addition, the responsibilities for monitoring accounts with administrative capabilities should be documented to ensure independence.
  • Monitoring Threat Intelligence Sources. External threat intelligence sources may include the Financial Services Information Sharing and Analysis Center (FS-ISAC), hardware vendors, or software vendors. Internal sources may include intrusion prevention systems, intrusion detection systems, firewall logs, server event logs, antivirus alerts, or a Security Information and Event Management (SIEM) system. The process for monitoring internal systems begins with the development of a network activity baseline, or in other words, an understanding of the normal daily activity within the institution’s IT environment. Once the institution understands the baseline, monitoring systems can be implemented and tuned to provide alerts to activity that is outside of the baseline and requires additional analysis. A list of the intelligence sources that are monitored and the procedures for monitoring these sources should be documented. Monitoring procedures may indicate that emails are sent to specific employees when an alert is issued or they may indicate that an employee reviews a system management console on a daily basis. Monitoring procedures may also indicate the process for determining the applicability of an alert to the institution’s environment.
  • Analysis and Response. Analysis and response procedures should identify the steps to be taken to assess the risk of a specific threat, determine a mitigation strategy, and implement the mitigation strategy.
  • Reporting. Reporting procedures should identify the type and frequency of reports that will be provided to the board of directors to evaluate the effectiveness of the threat intelligence program. Reports may include a list of the threat notifications received, applicability to the financial institution, and management’s responses to the applicable threats.

Conclusion
By implementing a Threat Intelligence Program and actively monitoring evolving threats, institutions can prevent or limit a threat’s impact on the institution and its customers.

Young & Associates, Inc., has developed Threat Intelligence Program templates to assist with the implementation of a Threat Intelligence Program. For more information, click here.