Cyber & IT Supervisory Forum - November 2023

internal systems that alert the en Ɵ ty of issues. However, this aler Ɵ ng usually occurs once something bad has happened. It is important to recognize threats that might pose a risk to the en Ɵ ty before they actually cause a real issue. Some common methods of receiving this type of threat informa Ɵ on include monitoring of popular industry websites (i.e., Recorded Future, Hacker News, Tech Crunch, SANS News Bites, etc.); monitoring of CISA no Ɵ fi ca Ɵ ons and no Ɵ fi ca Ɵ ons from regulatory agencies, federal law enforcement sources, and CSBS; and monitoring of informa Ɵ on sharing resources such as FS ‐ ISAC. Internal IT sta ff may also receive threat intelligence from other external sources such as service provider CISO working groups and forums. An important aspect of properly u Ɵ lizing threat informa Ɵ on is having a working, living knowledge of the nature of the en Ɵ ty’s own opera Ɵ ng environment and the assets that reside and interact with one another in that environment. The sheer volume of threat informa Ɵ on available to en ƟƟ es from the aforemen Ɵ oned resources can be overwhelming, and it is important that the en Ɵ ty has a way to fi lter and u Ɵ lize that informa Ɵ on that is relevant to the en Ɵ ty’s environment. Receiving informa Ɵ on from the resources we’ve just men Ɵ oned is of li Ʃ le use of that informa Ɵ on is not properly distributed to the appropriate par Ɵ es within the organiza Ɵ on, priori Ɵ zed based on the company’s own unique needs, and acted upon, as necessary. For example, in the scenario which we are looking at, it would be cri Ɵ cal that news of this industry threat reach the appropriate IT sta ff within the organiza Ɵ on so that, at a minimum, vigilance is heightened and plans for a poten Ɵ al response are contemplated. At this point in the exercise, the way a company reacts to this news of a poten Ɵ al threat would be analogous to the way we react to, say, a severe weather watch. Think about what happens when a tornado watch is issued for your area. There is no sense of panic but, rather, a heightened awareness that a poten Ɵ al threat is present. You’d become more acutely aware of what’s going on in your area, and you would likely begin to think of what you might do to protect yourself should that watch become a warning at an instance. The way an organiza Ɵ on reacts to this threat would be very similar. They would want to ensure that they have a reliable way to receive the threat informa Ɵ on, priori Ɵ ze the informa Ɵ on based on its relevance to their organiza Ɵ on, and prepare to take immediate ac Ɵ on should the threat actually materialize within the organiza Ɵ on. But just like a TV or radio that is switched o ff during a severe weather event, without awareness, reac Ɵ ons are slowed or clouded by the chaos of the situa Ɵ on, poten Ɵ ally reducing the e ff ec Ɵ veness of any cri Ɵ cal reac Ɵ ons that might be needed. BUT a key here is that an infrastructure that allows for this e ff ec Ɵ ve awareness, priori Ɵ za Ɵ on, and poten Ɵ al reac Ɵ on must be in place prior to the emergence of the threat. This is a founda Ɵ onal incident response concept that helps set the table for the most e ff ec Ɵ ve response possible. 2.) How might the organiza Ɵ on receive, priori Ɵ ze, and act in response to informa Ɵ on on new threats and vulnerabili Ɵ es facing the company and its controls?

11