An Insight into ISO27002:2022 Control 5.7: Threat Intelligence
ISO27002:2022 Control 5.7: Threat Intelligence
(By Tien Duong – Principal Consultant, ISO27001:2022 Lead Auditor, PMP®, ITIL4 Managing Professional)
The recent update of ISO27002:2022 introduces changes from previous 2013 version, not only in the structure of controls, but also introduce the new 11 controls:
| Control Identifier | Control Name |
| 5.7 | Threat intelligence |
| 5.23 | Information security of cloud services |
| 5.30 | ICT Readiness for business continuity |
| 7.4 | Physical security monitoring |
| 8.9 | Configuration management |
| 8.10 | Information deletion |
| 8.11 | Data masking |
| 8.12 | Data leakage prevention |
| 8.16 | Monitoring activities |
| 8.23 | Web filtering |
| 8.28 | Secure coding |
For most of experienced operation and IT managers all those controls are not too new. Except the 5.7, 5.23 and 5.30, the rest has been implemented more or less, when operation requires. With the small and tiny organization, the 03 controls (5.7, 5.23, 5.30) impose quite challenging implementation to meet ISO27002:2022 expectation.
This blog will discuss about control Threat Intelligence (5.7). The upcoming blog will discuss the other 02 controls, consecutively.
Threat Intelligence – What is it?
First, what is the meaning of ‘threat intelligence’?
Per Oxford dictionary, intelligence is conveyed in 02 meanings:
- Ability to acquire and apply knowledge and skills.
- The collection of information of military or political value.
From those meanings, we have a sense that threat intelligence involves followings interests:
- Collecting of information about threats. In this case, information is termed as indicators of compromise (IOC)
- Working out the collected information (i.e., IOC) to determine meaningful ways to respond to threats.
It should be noted that the term ‘respond to threat’ implies whatever actions to be done for following effects: prevention, detection and resolution of the impacts caused by the threats.
A popular concept in threat intelligence is IOC (Indicator of Compromise). It represent a set of information that convey behavior of compromise, which is intended for an attack by threat.
Below is an example of IOC by a malware, which start attack when users mistakenly install the Update.exe file.
Hence, the IOC of the malware comprises of following pieces of data:
- File name of the malware
- A file hash, used as signature to detect the malware.
- IP address where malware gets payload start attack.
- The email address where malware transfer confidential data of the attacked user.
A threat intelligence platform (TIP) maintains a database of IOC records, and has communication mechanism to share the IOC. For instant, a smart firewall can regularly query a TIP to update its IP blacklists, malicious email domains, etc.
Alike to military intelligence, cyber threat intelligence also consumes combination of human and computing effort. Nowadays, there are many free and commercial threat intelligence platforms (TIP) that support automatic and manual collecting, sharing and analyzing IOCs, across boundaries of teams and organizations. Refer external article ‘Top 10 Threat Intelligence Platforms in 2022’ for more knowledge about TIP. For small and medium organization, where budget is limited, the famous open source TIP MISP (https://www.misp-project.org/ ) should be a good choice to start with.
Expectation of ISO27002:2022 Control 5.7
Now, let’s put aside the technology aspects, turn back to governance aspects which are expected by control 5.7 of ISO27002:2022.
The control guidance states in 03 parts. The first part is for the purpose:
a) facilitate informed actions to prevent the threats from causing harm to the organization;
b) reduce the impact of such threats.
We can see that both preventive and mitigative effect is expected. In some situation, organization cannot prevent the threat, but with knowledge about how it will attack, the mitigation actions will be helpful to reduce the impact. <example>
The second part of guidance mentions about expected quality of threat intelligence platform (TIP):
a) relevant (i.e. related to the protection of the organization);
b) insightful (i.e. providing the organization with an accurate and detailed understanding of the threat landscape);
c) contextual, to provide situational awareness (i.e. adding context to the information based on the time of events, where they occur, previous experiences and prevalence in similar organizations);
d) actionable (i.e. the organization can act on information quickly and effectively)
It should be noted that ISO27002 never tells explicitly on ‘how’ to achieve its controls. Thus, an organization can implement its own TIP by (i) manual effort, (ii) automated platform, or (iii) combined of both, in alignment with the 04 points, a to d, mentioned above.
In case organization purchases or adopt a TIP from external (either via open source or commercial tool), it is important to ensure the use is relevant to the organization. Taking MISP as an example, a software outsourcing company shall have its own exploitation which is very different from an e-commerce firm! The difference in selection of feeds for sources of threats will drive the difference in response to threats.
Roles In Threat Intelligence
As we have fully known what threat intelligence should be, then the question ‘how to implement it?’ shall come up. Fortunately, control 5.7 does guide us some activities to comprise the control:
a) establishing objectives for threat intelligence production.
b) identifying, vetting and selecting internal and external information sources that are necessary and appropriate to provide information required for the production of threat intelligence;
c) collecting information from selected sources, which can be internal and external;
d) processing information collected to prepare it for analysis (e.g. by translating, formatting or corroborating information);
e) analyzing information to understand how it relates and is meaningful to the organization;
f) communicating and sharing it to relevant individuals in a format that can be understood
From those activities from a) to f) above, we recognize some specialized skills as followings:
- Planning and governing for production of threat intelligence.
- Collecting, investigating, analyzing and corroborating information from sources of threats.
- Communicating to relevant individuals, usually the roles responsible for information assets which are under threats.
Based on those above skills, organization may form up a team so-called ‘Threat Intelligence Taskforce’ to be owner of this control. This can be a totally dedicated team, or a virtual team with members selected from existing operational teams.
By whatever way, the outcome of threat intelligence should be clearly determined and distinguished from the daily operations. Having a dedicated threat intelligence taskforce should have benefit of avoiding bias decisions. Usually, a too-busy operation team may put aside extra actions to deal with threats! With dedicated taskforce, point f) (communicating and sharing….) is a key success factor to the outcome of this 5.7 control!