How the Cybersecurity Workforce is Forecasting Future Cyber Threats

Perhaps the most infamous cyberattack in recent memory was the 2017 Equifax data breach, which exposed 147.9 million customers' financial data — and it was largely preventable. In the aftermath of the breach, Equifax was found responsible for multiple cybersecurity and response failures, including failure to patch a known application vulnerability, inadequately segmenting their systems and thus allowing the attackers to move laterally once they were inside, and failing to respond promptly to the breach. The vulnerability was finally caught and patched on July 29, 2017, but Equifax estimated that the breach had started months earlier.

In short, Equifax was unprepared, and their failure to anticipate and plan for an attack compromised an unthinkable amount of sensitive financial information. It's a sobering object lesson: effective cybersecurity needs to be proactive and nimble to keep data safe. The cybersecurity workforce needs to anticipate and mitigate future as well as current cyber threats.

This underscores the value of a branch of cybersecurity devoted to forecasting and preparedness: cyber intelligence.

In the world of security, there are three types of threats: known knowns, known unknowns, and unknown unknowns. That is, there are threats we're fully aware of, threats that we can't precisely anticipate but know are out there, and threats that we don't even know exist.

Cyber intelligence is all about illuminating those unknown unknowns and making them known. The goal of cyber intelligence efforts is to identify and mitigate harmful events in cyberspace.

At the most fundamental level, cyber intelligence helps organizations be proactive rather than reactive in dealing with cyber threats. The gold standard in cybersecurity is to anticipate threats and have protective measures already in place when they occur. Moreover, good cyber intelligence informs better, faster decision-making during and after an intrusion, allowing organizations to efficiently detect and respond to cyber threats and mitigate damage.

It's clear that the cybersecurity workforce needs to make anticipating future cyber threats a high priority. This is done by gathering three main types of cyber threat intelligence:

Tactical Intelligence: The "What"

At the tactical level, cyber intelligence is highly technical, including IP addresses, domains, file names, hashes, and other specific pieces of information that may indicate a system has been compromised.

Tactical intelligence is used to identify specific, immediate threats and respond to them in the short term. This type of intelligence is almost always gathered using automated tools, since it is both relatively simple to collect and has a very short shelf life — malicious IPs and domain names may become obsolete in a matter of days or even hours.

Operational Intelligence: The "Who"

Operational cyber intelligence focuses on the human actors behind cyber threats, including their goals, capabilities, and motivations. At the operational level, cyber intelligence seeks to understand the tactics, techniques, and procedures (TTPs) that dangerous actors use to compromise systems.

While machines can collect some of the data needed for operational threat intelligence, human analysis is absolutely needed to identify the "who" and "why" of an attack. As compared to tactical intelligence, operational intelligence is both more difficult to gather and longer-lasting, since cyber attackers cannot change their TTPs as quickly as they can change a domain or IP address.

Strategic Intelligence: The "How"

The strategic layer of cyber intelligence focuses on the big-picture, overarching risks that come from cyber threats and informs how organizations can plan their overall cybersecurity strategy.

Strategic intelligence goes beyond cyberspace to understand the broader context of a cyberattack. At the national level, for example, cybersecurity insights have to be combined with geopolitical knowledge to understand cyber threats. Likewise, at the business or organizational level, the broader market conditions must be considered. When properly understood, strategic intelligence allows organizations to plan their overall approach, anticipate future threats well in advance, and respond to those changing threats in real-time.

So how, how do cybersecurity professionals go about collecting this intelligence?

Gathering Raw Intelligence

Given that cybersecurity is all about protecting digital data, it's fitting that anticipating a cyber threat starts with data collection. Methods of gathering relevant data may include:

• Reviewing website traffic logs for access patterns from compromised systems.
• Gathering open-source intelligence, often using automated tools.
• Searching social media for red flags.
• Collecting information from relevant forums, which may include anything up to and including terrorist plots.
• Seeking insights from subject matter experts.
• Drawing information from the deep or dark web.

As with any raw data, this information needs to be processed and put into a usable format before security insights can be gathered. This can be a time-consuming process that includes everything from data entry to decryption to even translation of foreign-language data. In addition, cybersecurity workers need to evaluate the data they gather for relevance and reliability.

Analysis and Dissemination

Once relevant data has been gathered and processed, it needs to be analyzed to find answers to cybersecurity questions. Depending on the situation, some of the questions a cyber intelligence team may seek to answer include:

• Tactical: When do we expect the next attack, and where will it come from? What specific actions should we take to stop it?
• Operational: Who are the attackers and what are their motivations? What tools are they using?
• Strategic: What's the broader context of this attack? What are the key systemic vulnerabilities we need to shore up to prevent future attacks?

Again, machines can do much of the data collection and analysis "heavy lifting," but creating nuanced answers to these questions, especially at the operational and strategic level, requires human analysis.

Moreover, cybersecurity professionals need to communicate their strategic insights and recommendations to stakeholders to actually implement countermeasures. Cybersecurity isn't just something the IT team can do; preventing cyberattacks, communication fraud such as phishing, and other breaches requires organization-wide strategy informed by cyber intelligence.

Ongoing Feedback and Adjustments

Cyber threats don't exist in a vacuum, and neither can cyber intelligence. In order to continue to anticipate future cyber threats and respond to them effectively, cybersecurity professionals must constantly review the outcomes of their previous forecasts, make adjustments to their data collection and analysis methods, and refine their countermeasures as they anticipate the next threat. It's a fast-paced, constantly changing field driven by creativity, strategic thinking, and results.

How Do You Learn to Forecast Cyber Threats?

It's easy to think of security as a purely reactive concept, but the gold standard of cybersecurity lies in proactively forecasting and anticipating future cyber threats. In order to do that, you need to learn from the cutting edge of the cybersecurity field, with insights from the best practices of federal agencies and multi-national corporations. Get started with the online Bachelor of Science in Cybersecurity program or online online Master's in Cybersecurity program at Utica College.