Tech Time: Cyberthreat Intelligence and Your CU

Credit union leaders understand that the better they know members and their behavior, the better the credit union can provide products and services that meet members’ needs. If CUs understand members well enough, they can even anticipate future needs. Within the realm of cybersecurity, this same wisdom holds. The better we understand the tactics, techniques and procedures used by the bad guys, the better we can proactively defend against them. One aspect of building this proactive defense involves the use of cyberthreat intelligence. 

Defining Cyberthreat Intelligence

Cyberthreat intelligence is “actionable knowledge about cyber adversaries gained through careful review and analysis of threat data and behaviors, allowing the organization to better recognize and remediate cyber-related risks.” While a bit of a mouthful and somewhat “geek-speak,” the concept of cyberthreat intelligence is comparable to how credit unions use MCIF packages to turn reams of member data into actionable information (intelligence) for marketing campaigns.

From governance (the board of directors) and management perspectives, it is important to understand the difference between threat “data” and threat “intelligence”—particularly when looking to partner with a vendor.

Threat data can be viewed as all the little bits and pieces of “stuff” (date, time, from address, to address, port, protocol, language, etc.) found in log files, programs and other data sources. Threat intelligence takes this data, analyses it and creates a narrative that can be used to generate informed action plans.

A robust CTI program utilizes data collected internally and externally. Commonly used internal sources include various system (servers, routers, firewall) log files, server scans, network traffic analysis and alerts generated by intrusion detection/prevention systems. Additionally, help desk systems, configuration/change management systems and asset tracking/management systems are good data sources. 

External sources come in many categories and types. Some are free. Some require a paid membership or subscription. Some are broad and cover many different industries. Some are narrow and focus on a specific industry or trade. Examples of external sources include:

• credit union industry and trade groups (e.g., CUES, CUNA, NAFCU)
• information sharing analysis centers (e.g., FS-ISAC, IT-ISAC)
• computer emergency response teams (e.g., CERT, US-CERT, Can-CERT)
• government agencies and organizations (e.g., FFIEC, NCUA, DHS, Infragard)
• computer security organizations/companies (e.g., SANS, Microsoft, AV vendors, firewall vendors)
• cyberthreat intelligence vendors (e.g., Recorded Future, CrowdStrike, iSIGHT)
• computer and security news organizations and bloggers 

All the above—through newsletters, blogs, newsfeeds, and websites—can provide data on cybersecurity threats.

Perhaps more important than the data are the technical and operational staff who understand credit union information systems and operational processes and know when these systems and processes aren’t behaving as they should.

Creating a CTI Program

Now that we’ve defined cyberthreat intelligence, how can your credit union develop and establish a CTI program?

The first step involves determining how a CTI program fits into the credit union’s information/cyber security strategy. Implementing and maintaining a CTI program should be viewed through a long-term, strategic lens. This means thinking through and developing multi-year plans for budgeting, personnel and other resources.

Once a strategy has been developed, the credit union can work on program governance and management framework items (i.e., policies, standards and procedures). In this area, it is key to set standards for data/information quality. “Good” data should be accurate, objective, believable, relevant, complete, current, concise, reputable and consistent.

Your next steps depend on the resources you have available. If, at this time, your credit union has limited resources, you can do a number of things to put yourself in a solid position to move forward when additional resources become available.

• Confirm you have a working computer/network asset management system. (Do we know what devices we have? What about when new ones are added or old ones removed?)
• Review your change/configuration management program for efficiency and effectiveness. (Are appropriate updates and patches tested and applied in a timely manner?)
• Ensure network, process and data-flow diagrams are correct and current. (Do we know how our network is configured and how data moves through it?)
• Verify you have a good working system for security information and event management. (Do we have a system collecting and correlating log files from various computer systems and network devices?)
• Use completed business impact analysis and risk assessments to understand what critical systems need attention. (What are our critical servers and devices? Where is sensitive or confidential information stored?)
• Determine two or three reliable, reputable, appropriate external threat information sources to use for gathering threat information. (Look for reputable sources with a background in financial services threats. Limit the number of sources to avoid information overload.)

Effective implementation of a CTI program assists a credit union in moving from a reactive mode to a more proactive position in mitigating cybersecurity risks and threats. And while it may seem a daunting task, careful planning and preparation can help a credit union move from a simple system for monitoring threats to a comprehensive, mature, analytical, threat intelligence program.

Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insights to credit unions on information technology governance, information security and technology risk management.