27.02.2018

Building a Mature Cyber Threat Intelligence Program

The concept of becoming intelligence-led is greater than only consuming threat data and correlating indicators within your tools. A mature Cyber Threat Intelligence (CTI) program provides deep context, communicates across the business, and acts as a proactive service provider – much in the same way that SOCs and IR teams function. While many organizations have built an ad-hoc CTI program internally, it tends to lack the unbiased assessment and consult around prioritizing their progressive, and crucial, strategic movement.





 

Intelligence Capability Assessment

An Intelligence Capability Assessment (ICA) ICA tackles the problem-set holistically, inclusive of the core CTI capabilities necessary to consume and apply intelligence, as well as how CTI is integrated across conventional cybersecurity operations. During this assessment, the following areas are reviewed:

  • Core CTI Functions: Identify essential people, process and technology (PPTs) requirements charged with executing a cyber threat intelligence lifecycle to achieve specific mission objectives.
  • Identify and Protect: Leverage CTI to manage its risk exposure from vulnerability management to mitigating cyber controls.
  • Monitor and Detect: Use CTI to pinpoint threat activity through reactive and proactive measures.
  • Respond & Recover: Apply CTI to triage, respond to, and remediate threat activity within the environment.
  • Reduce Risk: Employ CTI to strategically align the organization’s cyber security program to face the evolving threat landscape.

 

Roadmap

After current capabilities are assessed, a comprehensive roadmap for getting there is developed – while considering in-flight security initiatives and ensuring interoperability with the larger cyber defense objective. An ICA effectively jumpstarts security programs of all sizes to implement robust and pragmatic capabilities. Scalability, sustainment, and efficiency are the ultimate goals. 

 

Defining the Framework

Now, how do we define the end-state? After building and implementing these practices and capabilities, it’s time to focus on how they will be operationalized. From a daily, functional perspective, how does your capability look and how do you measure the value? We kickstart this by defining our CTI Program Buildout Framework. See Figure 1 for an overview of this framework. From left to right, building these capabilities moves your organization’s maturity needle toward an intelligence-led model.


Figure 1: CTI Program Framework
During an ICU engagement, focus is placed on the “implementing practices” and “realizing capabilities” levels of this model.

 

Defining the Functions of your CTI Team

The most important step is defining the functions your CTI team will perform. This can look very different, depending upon the type of organization, threat profile, type and size of infrastructure, and resources available. We look to define four key functions and related activities, as depicted in Figure 2. From this point, you can develop staffing plans, process components, intelligence products, and metrics to show and measure value to the business.



Figure 2: 4 Key CTI Functions

 

In Conclusion: 

Organizations have varying appetites and tolerance for the speed at which an intelligence capability is built out. Some companies prefer a phased approach, others prefer a high-speed execution with programs defined in months rather than over the course of one or two years. Regardless, it is critical for those organizations to assess current capability and plan for a transition before the heavy lifting begins. This will allow for efficient implementation of the capability’s people, process, and technology.