The current version of the ISO27002 information security controls standard was published in February 2022 and was incorporated into the ISO27001 requirements standard shortly afterwards as a replacement Annex A. The updated set contains eleven controls that we haven’t seen before and here we’re examining the subject of threat intelligence, which is control 5.7 under Organizational Controls.
What is threat intelligence?
Basically this is about understanding more about the people and groups out there who might wish your organisation harm, and the ways in which they might achieve it. You can see how this would be useful, both in terms of assessing risk and in making sure that controls are as effective as they can be. Threat intelligence is often approached at three levels, strategic, tactical and operational.
Strategic threat intelligence
An understanding of the general direction of travel of threats can help in deciding how the organisation needs to change in order to stay as safe as possible over the longer term. So trends in how threats are evolving on a year by year basis can be helpful; is the threat from nation states such as North Korea or Iran growing or declining; are ransomware attacks increasing or becoming more sophisticated (such as the use of AI), or both? The best sources of information at this level are often annual reports issued by government agencies such as the UK National Cyber Security Centre or the EU’s ENISA, and commercial vendors with a good reputation in the cybersecurity marketplace, such as Mandiant, Sophos or Crowdstrike.
Tactical threat intelligence
At the next level down we’re concerned with specific attackers or types of attackers and the tactics, techniques, and procedures (TTPs) that they are currently using to gain access to systems or otherwise pose a threat to our organisation. Whilst we may not be dealing with a current attack, we need to know who is active and what their current methods of ingress are, as well as what kind of organisation is their victim of choice at the moment. Knowing this information allows us to address any shortcomings in our defences, such as patching systems that are used as a way in.
Operational threat intelligence
At the lowest level we may be dealing with information about attacks that are ongoing, with victim organisations providing helpful information about what to look for to determine whether you too have been compromised (termed “indicators of compromise”). Of course, our organisation itself may be the latest victim, in which case threat intelligence will work hand in hand with incident management to find out anything that will be of help in dealing with the incident.
Sources of information
In order to satisfy the needs at each level, information may be gained from many different sources. At the strategic level it is often annual “state of the nation” reports and presentations at conferences that provide the general lowdown on what is happening out there in cyberspace. As we become more specific, feeds such as blogs and newsletters are a good source of timely information and at the operational end of the spectrum, memberships of information sharing partnerships and urgent alerts put out by agencies are a help, as well as information from your own systems such as security information and event management (SIEM). Sharing of information is generally seen to be a good thing, so it’s important to play your part is spreading the word when you become aware of an active threat.
Satisfying the ISO27001 requirement
In basic terms, the control in ISO27002 requires simply that “information relating to information security threats should be collected and analysed to produce threat intelligence”. But what would this look like in real terms, and what would an auditor expect to see?
Well, our first suggestion is that you should have a policy that sets out your general approach to threat intelligence, probably along the lines of the strategic/tactical/operational layer model. Following that up with a process document that explains how threat intelligence is planned, collected, analysed and communicated would be a good idea, possibly supported by more specific procedures in key areas. An auditor will want to see evidence of the production of threat intelligence, so a collection of relevant reports (both external and internally-produced ones) will be useful, along with examples of how the intelligence has been used to identify actions such as strengthening controls, applying patches and enhancing user awareness.
There’s a strong connection here with risk assessment and treatment and continual improvement, to name but two areas of the management system, so being able to show those links would be beneficial at audit time.
In summary
This control is very likely to be applicable to your organisation (as listed in your statement of applicability) and it needn’t be a difficult control to implement. Having a basic method of collecting information on threats and turning it into a set of actions that you can take to reduce risk should meet the need. Threat intelligence is a fascinating topic so you may find yourself wanting to learn more about what’s going on out there.
As they say, knowledge is power!
