The panel drew an analogy of how children train while they are growing up and ensure that the learning is reinforced by passing it on. When implementing Cyber Threat Intelligence (CTI) it is important to spend time understanding how the indicators of compromise (IoC’s) are identified by the existing systems and try to build in some predictive intelligence with unique signature detection. With the evolution of technology, the complexity to deal with attack vectors is going to increase exponentially and it becomes essential for companies using or planning to use CTI to remember that every intelligence mechanism comes with an expiry. The logical patterns detecting the threats today may not remain the same tomorrow.

There is a pressing need and challenge to constantly update the existing patterns in the intelligence systems. This requires collaboration outside the corporate network with academia, government institutions and the like. Hence collaboration purely at a corporate level is not sufficient. In India by culture we prefer to be disciplined where the discipline for most cases is enforced in a top-down manner for the rules to be laid down. The banking sector has a nodal agency which can be trusted for the intelligence information that is being exchanged. But it becomes important to consider the rules across and specific to certain sectors, for example, the rules in the BFSI sector pertaining to financial relevance. Continuing with the same example, the information about different threats needs to expand across nodal agencies, thus disseminating the information to more than 1000 banks.

Likewise, each industry has specific ISAs (intelligence sharing agencies) and there is a need to spread awareness and involve organizations to contribute to these ISAs. Although a number of threats are financially motivated and may share similar tactics and the behavior maybe similar, e.g. Threat agents for a phishing attack may be similar but the IoCs may change. The technology spectrum has moved from a 0-1 decision making model to enabling experts make decisions about the gray area. This is possible because of the analytics ingrained into the CTI tools, thus making predictive analytics possible. A pattern may not be rejected outright (based on 0-1 decision making) but rather be granted a conditional exception (gray area decision making).

It is therefore important to eliminate or refresh the signatures captured in CTI tools continuously upgrading the analytical capabilities of the tool to capture common behavioural traces. Some of the key questions for the panel revolved around careful selection of parameters to enable actionable intelligence.

The panel concluded with a call for action to identify common grounds of continuously disseminating information about the evolving CTI parameters and patterns to ensure interoperability between industries.

Watch the Panel Talk