The increased availability of Threat Intelligence and the advancement of CTI tools has led to the rise of Cyber Threat Intelligence (CTI) as an integral part of security operations. Although this has proven to be a linchpin in the fight against advanced threat actors, the discussion surrounding CTI is often marred by conflicting narratives on how organizations should go about developing their CTI capabilities. Therefore in implementing a successful CTI program, it is essential to first take a step back and analyze the various aspects that determine the structure, implementation, and the consequent utility of an organization-wide CTI program.
CTI Program Objective
To begin this complex task, one must first determine the objective of a CTI program. In the modern stack of enterprise security, Threat Intel fills an important gap. A CTI program allows organizations to develop a proactive cyber defense strategy by providing key information on various kinds of threats and threat actors. It serves as the guiding force in understanding the intention, behavior, tools, tactics, and techniques of adversaries.
In addition, the combination of CTI with an advanced threat response solution and a situational awareness solution forms a comprehensive, proactive cyber defense trifecta. Moreover, it provides several other important benefits such as:
- Improved allocation of security resources using contextual threat intelligence.
- Enhanced information sharing with business partners, sectoral bodies, industry peers, and others.
- Improved security governance through prioritization of the most relevant threats.
Any comprehensive program cannot achieve its intended outcomes unless all core elements of the program are planned, implemented, and managed appropriately. Below are some of the key elements that define the structure of an organization’s CTI program.
- Stakeholders - All the various stakeholders need to be taken into consideration while developing the personnel, process, and technology capabilities for a CTI program. This can include various stakeholders within the organization as well as external stakeholders like business partners, clients, industry peers, and others.
- Scope of the Program - Organizations need to set a clear scope of their CTI program keeping in mind various aspects, such as technical infrastructure, business strategy, policy, adoption of technology, and more. These aspects influence the collection and use of information by the CTI program.
- CTI Team - For any sizeable organization, the formation of a dedicated team for the CTI program is essential. The team should be able to effectively communicate with other technical and non-technical units within the organization. The CTI team will need to communicate with the decision-makers regarding business risk from cyber threats while also working with other security functions in the security operation to guide the development of a proactive cyber defense strategy and as well as play an integral role in overall threat management.
- Process - The CTI operations will include various steps ranging from Threat Intel collection, processing, analysis, and sharing, to the governance process.
- Capabilities -The size of the organization, its resources, and cyber risks, will help define the desired capabilities of its CTI program. The capabilities of a CTI program can include management of stakeholders, scope, requirements, information sources, ingestion of structured & unstructured information, and production, analysis, dissemination of Threat Intel.
- Activities - For each planned capability, a CTI team will need to execute well-defined activities with the use of appropriate tools and technologies to aid the workflow.
- Output - The output of a CTI program, as guided by its scope and stakeholders, will include the Strategic, Operational, Technical, and Tactical forms of intelligence.
Types of Threat Intel
An organization’s CTI program produces various kinds of intelligence that can guide different functions within the organization. The Threat Intel can be categorized into four types as follows:
- Strategic - This includes the information focused on threats related to the organization’s business, geography, and operating environment. This information is usually acted upon by the senior management within the organization.
- Operational - The Operational Threat Intel focuses on flaws in the design of the organization’s technical infrastructure, and helps plan proactive actions that the security team can take to mitigate it.
- Technical - The Technical Threat Intel provides information on threats affecting various assets operated by the organization, including servers, applications, endpoints, software, etc. This plays an important role in closing security gaps and improving policies.
- Tactical - Tactical Threat Intel focuses on analyzing the tactics, techniques, and procedures (TTPs) of adversaries and learnings from industry peers and other organizations facing similar kinds of threats.
The Table below from the European Union Agency for Network and Information Security (ENISA) provides evaluation metrics to further evaluate and analyze each type of Threat Intel. Using these metrics, an organization can make the most out of its CTI program and effect changes within different functions to improve the overall security posture.
This diagram from the ENISA 2018 Threat Landscape Report provides a visual representation of where and how the various forms of Threat Intel would be found and used in an organization’s CTI program.
Modeling & Evaluating CTI Program Maturity
In its 2018 Threat Landscape Report, ENISA outlined a comprehensive framework to categorize CTI programs into different levels of maturity. The report highlights the following four CTI Program Maturity levels:
- Initial - At the initial level, the CTI program relies on informal processes, external sources of information, and lacks well-defined outcomes.
- Managed - At this level, the CTI program is more connected to the stakeholders and their requirements. Threat information is collected from internal sources while external sources are used for enrichment. Also, a basic level of information sharing practice is established within the organization.
- Repeatable - At this level, there is greater management control, regular evaluation of outcomes, and integration of Threat Intel with existing systems and processes. Through association and correlation of information on motives, capabilities, targets, and behavior of adversaries, the CTI program provides necessary recommendations for various security functions.
- Optimized - The final and highest level focuses on constant learning, optimization, and collaboration with all stakeholders for the effective use of Threat Intel for decision making and action.
Increased availability of Threat Intel and the advancement of CTI tools over the last few years has led to crucial changes in the way organizations approach cybersecurity. Organizations are learning how to effectively leverage CTI to defend against advanced threats. An in-depth understanding of what constitutes a CTI program will serve as the foundation for implementing and effectively managing an organization’s cyber risk. Cyware’s Strategic and Tactical Threat Intelligence Sharing Solutions help organizations to comprehensively gain maturity as suggested in the ENISA models.