This paper captures the underlying assumptions of the CORA methodology by describing what a robust, threat-informed cyber security program looks like. The authors identify a selection of key practices in each of five areas.
Cyber Operations Rapid Assessment (CORA): A Guide to Best Practices for Threat-Informed Cyber Security Operations
​Actionable threat intelligence plays a critical role in cyber defense, from helping to protect systems and data, to protecting organizations, industries, and even countries. A number of recent highly-publicized breaches has led to considerable activity in both the public and private sector to enhance capabilities to collect, utilize, and share cyber threat information. Many organizations, however, struggle with introducing threat intelligence into their defenses, relying predominantly on static defensive measures and compliance-oriented processes. Transitioning to a threat-oriented posture is not easy, and change needs to occur across the triad of people, processes and technologies.
In a previous paper, we introduced the CORA (Cyber Operations Rapid Assessment) methodology, which was developed to study issues and best practices in cyber information sharing. In addition it serves as an engagement tool for assessing and improving threat-based security defenses. CORA identifies five major areas of cyber security where the proper introduction of threat information can have tremendous impact on the efficacy of defenses:
- External Engagement
- Tools and Data Collection
- Tracking and Analysis
- Internal Processes
- Threat Awareness and Training
Th is paper captures the underlying assumptions of the CORA methodology by describing what a robust, threat-informed cyber security program looks like. We identify a selection of key practices in each of the above five areas. We defined a "Threat-Informed Cyber Security Operation” (TICSO), as one that successfully incorporates threat information into its regular security practices, and thereby enhances both its tactical and strategic defensive capabilities.
Given the vast literature for cybersecurity recommendations and guidance, an additional goal of this paper is to provide references to resources and further guidance to assist organizations in achieving their goal of a threat-oriented defensive posture.