Leveraging Threat Intelligence for Regulatory Compliance - Image by Tumisu from PixabayThe US Government recently announced that the state-sponsored Chinese cyber group Volt Typhoon has compromised multiple critical infrastructure organisations’ IT networks in the US. In addition, it is preparing “disruptive or destructive cyber attacks” against communications, energy, transport, water and wastewater systems. National cybersecurity agencies in Australia, Canada, UK, and New Zealand supported the announcement.

It is a sobering reminder that modern life relies on digital networks. From healthcare, banking, and socialising to energy, water, local and national government – everything has a digital aspect. But while digitisation has delivered great leaps forward in convenience, speed, and efficiency, it has also introduced risk. Malicious forces wanting to disrupt economies, governments, and people know that targeting digital networks is the quickest route to maximum cross-border disruption.

As a result, the collective improvement of cybersecurity is a high international priority. There’s a wealth of EU legislation in the pipeline designed to tackle cybersecurity risk in critical sectors.

The NIS Directive covers a wide range of critical industries such as energy, communications, water, banking, health, and transport. Crucially, the directive applies to their supply chains, too. We believe threat intelligence will play a central role in organisations’ efforts to comply with these regulations. This is especially the case with the NIS2 Directive, which has risk visibility, information-sharing, and collaboration at its heart.

The role of threat intelligence

As every CISO knows, cybersecurity is a multi-aspect, multidisciplinary activity and you’ll never succeed in entirely preventing attacks and breaches. What you can do — and what the regulations require — is to implement programmes to manage and minimise risk and demonstrate that they are effective. Failure to do this has direct implications for senior leaders. Under NIS2, members of management bodies may now be found personally liable for failing to establish and oversee effective cybersecurity risk management programmes.

Getting the assurance required to sign off on the effectiveness of programmes requires a solid understanding of where that risk is coming from, which is where threat intelligence comes into its own.

Threat intelligence can be collected from a diverse range of sources. These can include official bulletins from government agencies – like the recent US announcement – private-sector threat feeds, intelligence-sharing communities and open source information, as well as from monitoring and analysis of dark web communications. There is a huge amount of data available, and, as with all large datasets, the key is analysing it effectively in the context of your organisation so you can gain a picture of the threats in your environment.

Just knowing about the threats isn’t enough because there’s a difference between the existence of a threat, the risk of it happening, and the severity of the consequences for your organisation and its stakeholders. Here, a threat intelligence platform helps organisations correlate threat data within the context of the business, prioritising the threats with the high likelihood and severity. This allows you to show that you understand risk, and you can establish a prioritised remediation programme to minimise the risk of threats becoming a reality.

Accelerating incident response

NIS2 is not just about controlling attack risk. It’s also focused on improving the quality of response to incidents when they occur. Previously, EU authorities noted a lack of consistency in the speed and detail of major incident reporting. The new directive, therefore, tightens up both the time frame and level of information that organisations must provide.

Significant incidents must be reported to authorities within 24 hours with an early warning.  The report must include:

  • A description of the incident
  • Whether the organisation believes it was caused by unlawful or malicious activity
  • Whether the incident could cause a cross-border impact.

Within 72 hours, the organisation must provide an update providing information about its severity and impact, plus relevant indicators of compromise. One month after the initial notification, a full report must be provided.

Threat Intelligence Platforms and/or Security Orchestration Automation and Response Platforms can provide the foundations of effective reporting. They gather real-time intelligence when an incident occurs, initiating an automated incident response plan, including notifying the relevant authorities. It will power investigation and evidence collection so the reports contain all the documentation needed.

Collaboration and cooperation across nations and supply chains

Another issue that NIS2 seeks to address is the lack of cybersecurity information-sharing that has obstructed efforts at cross-border risk management and incident response in the past. The directive will establish an international cooperation group, a network of national CSIRTs, and the EU-CyCLONe cross-border incident management and response network. It also creates a system of coordinated vulnerability disclosures and a European vulnerability database that ENISA will manage.

Threat intelligence sharing will form a key aspect of the success of these initiatives. A threat intelligence platform and participation in industry-specific threat intelligence communities can help organisations stay informed, share best practices, and embrace the ethos of the directive. The platform can also contribute proactively to the rising tide of cybersecurity performance that it seeks to deliver.

Proactive information-sharing will also be crucial to gaining visibility over threats in the organisation’s supply chain. This is a central tenet of NIS2, with in-scope companies required to take a risk management approach to monitor cybersecurity standards in supplier organisations. By fostering a collaborative approach to cyber risk and sharing threat intelligence with suppliers, companies can build a culture of cybersecurity collaboration that will benefit all parties.

Compliance with regulations such as NIS2 will rest on the ability to demonstrate a clear understanding of risk and a robust incident response and reporting framework. Collecting, analysing, and sharing threat intelligence should be a priority for in-scope organisations as they build their compliance capabilities.

ThreatQThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organisation’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritisation and visualisation, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.


Please enter your comment!
Please enter your name here