Capturing Your Experience with Building Cybersecurity Capacity
Pilot I: Brian Willis, Senior Cyber Threat Analyst with Intel Corporation
Questions:
1. Were you the engaged in building the capacity of your own organisation to deal with
cybersecurity, or were you involved in capacity building efforts on behalf of a third
party?
Over the past 18 years, I have been engaged in building response capacity in the
following contexts within our organization and with third parties (industry bodies,
etc.):
 Establishing enterprise and product security response processes for large
multinational IT company
 Establishing national response concept of operations and operational
information sharing constructs
 Establishing national and international industry response and information
sharing frameworks
 Developing organizational, cross-industry and industry-government cyber
threat and vulnerability information sharing capabilities
 Developing cyber threat and vulnerability automation standards
2. Which particular areas of cybersecurity capacity were you particularly focused on
improving?
My experience has been focused in the areas of:
 Cyber threat and vulnerability information sharing
 Incident Response (international, national, enterprise and product-related)
 Cyber Exercises
3. What are the particular actions your organisation took to increase its capacity to deal
with this cybersecurity problem?
Some actions to increase capacity to deal with cybersecurity problems include:
 Increased leveraging of community-based response and information sharing
organizations (as a force multiplier)
 Development of threat analysis methodology such as taxonomies for threat
agents and capability maturity models.
 Development of cyber threat analytical tools and mechanisms
 Increased leveraging of automated solutions for information sharing and
response management.






Development of threat intelligence governance, reporting and coordination
processes.
Creation of light-weight operational frameworks leveraging existing internal
processes and community resources where possible.
Development and ratification of organizational priority intelligence
requirements which informs information sharing activities.
Developed and disseminated regularly scheduled analytical work product and
briefings.
Drive the creation and adoption of information sharing standards and
automation (STIX, TAXI, etc.) in the external community
Active participation and leadership in external information sharing
communities locally, regionally, nationally and globally.
4. What effects did you hope to achieve in taking these particular actions? Are there
any particular objectives, goals or priorities that were the intended outputs?
Among the key goals were to:



Build a core threat intelligence gathering and analysis capability
 The Intelligence work product was designed in three methods:
tactical, operational and strategic
Synthesize/fuse into actionable intelligence
Deliver timely, actionable intelligence to
1. Enterprise Defenders
2. Product Security Developers
3. Business Decision Makers
5. What particular aspects of the project enabled your success? What worked well?



Gaining strong management support to invest in threat intelligence
capability. It make take several years for such a capability to realize its
potential so having support for a long term invest is crucial.
 This required a shift in thinking from a cyber threat and vulnerability
intelligence outlook toward a more business intelligence and
geopolitical perspective.
Establishing a regular communication pipeline between analysts and
consumers of the intelligence. Giving regular briefings – learning from those
briefing and work product. Calibrating your analytical work to meet
stakeholder needs is an iterative process.
Get some early wins. To keep momentum, focus on some tangible gains that
can be achieved early to maintain momentum and support.
 Such early wins included exploiting code or signature before it went
public, and providing threat briefings to CIO staff on a quarterly basis.


Being able to articulate your value proposition and being able to do it often,
especially in the early days of building out the capability.
Leveraging the external cybersecurity community – there are a lot of
resources available and those contacts and best practices can save time and
money.
 Also, monitoring conferences and the threat landscape yields rewards
by engaging proactively rather than reactively. By providing the
opportunity for the technical assessment people who show interest in
threat intelligence to attend these conferences, you begin to see
greater business impact on a multiplicative scale.
6. Where there specific barriers that inhibited progress toward achieving the desired
ends?
 Establishing trust takes time and in many cases face-to-face time. Establishing
this trust in virtual environment across organizations can be difficult.
 It can be difficult to develop briefing material and analytical work product
that is understood and useful to your stakeholders. It is very much an
iterative process and our work product evolves regularly to meet changing
needs.
 Mapping your investment in threat intelligence to tangible metrics and/or
value proposition can be difficult.
 These value propositions, which are dual use for management and
operational utility, must be revaluated as risk dimensions evolve.
7. Having gained this experience is there anything that you would do differently in the
future in similar capacity building activities?
I think early in our evolution, our focus was very tactical in the sense we our main
focus was getting actionable intelligence quickly to enterprise defenders (block this
port, get this malware sig, etc.) So we had a lot of interaction with our response
teams and operations staff. It took us some time to evolve our goals and work
product to inform enterprise defence planning and architecture. I would
recommend doing this much earlier in the build out of the capability. Provide regular
briefings on emerging threats and trends across the domains of collection to the
enterprise security management, architects, planners.
8. Were there any unexpected results that emerged from your capacity building efforts?
In the beginning, it was apparent that threat intelligence could help improve our
enterprise defence, however we found quickly that our product security developers
and business decision makers were also eager to receive our work product. So this
was not anticipated but they quickly became important consumers of our work
product and additional drivers of our threat intelligence requirements.
9. Did attempting to increase capacity in this particular area have any unexpected
consequences for other aspects of capacity or business processes?
No examples come to mind.
10. How did you evaluate success or performance of your capacity building?
Below are some examples related to information sharing:







Trust relationships established (could be things such as formal MOUs)
Degree of automation (intake and output)
Sharing Community members (how many in sharing community)
Domain coverage (for example are you a sharer/receiver of network IOCs , or
perhaps Industrial Control System vulnerabilities) Sharing communities to be
focused on type of info, industrial sector, threat agent, etc . Depending on
mission it may be important to be part of many sharing communities across
many domains.
Internally developed maturity model for specific domains of intelligence
(such as APT related )
We have developed a methodology by which we measure the value of
external information sharing relationships along X number of dimensions.
 These dimensions prompts conversation among the team and the
leader justifies the relationship, which provides a give and take
relationship in information flow.
 However, the level of work needed to maintain these relationships
and the level of trust gained are not always the same across
organisation.
 I have found that highly trusted and highly organised relationships
often produce wins in information sharing, as do more ad-hoc groups
around organic events (though these groups don’t tend to grow up as
well. as these tend to be a community of personalities)
 Large communities without a well-defined mission, or one with too
many sectors tend to be less successful in sharing threat information
Coverage of PIRs (priority threat intelligence requirements)