Share Blog post
CTI Program Objective
- Improved allocation of security resources using contextual threat intelligence.
- Enhanced information sharing with business partners, sectoral bodies, industry peers, and others.
- Improved security governance through prioritization of the most relevant threats.
- Stakeholders - All the various stakeholders need to be taken into consideration while developing the personnel, process, and technology capabilities for a CTI program. This can include various stakeholders within the organization as well as external stakeholders like business partners, clients, industry peers, and others.
- Scope of the Program - Organizations need to set a clear scope of their CTI program keeping in mind various aspects, such as technical infrastructure, business strategy, policy, adoption of technology, and more. These aspects influence the collection and use of information by the CTI program.
- CTI Team - For any sizeable organization, the formation of a dedicated team for the CTI program is essential. The team should be able to effectively communicate with other technical and non-technical units within the organization. The CTI team will need to communicate with the decision-makers regarding business risk from cyber threats while also working with other security functions in the security operation to guide the development of a proactive cyber defense strategy and as well as play an integral role in overall threat management.
- Process - The CTI operations will include various steps ranging from Threat Intel collection, processing, analysis, and sharing, to the governance process.
- Capabilities -The size of the organization, its resources, and cyber risks, will help define the desired capabilities of its CTI program. The capabilities of a CTI program can include management of stakeholders, scope, requirements, information sources, ingestion of structured & unstructured information, and production, analysis, dissemination of Threat Intel.
- Activities - For each planned capability, a CTI team will need to execute well-defined activities with the use of appropriate tools and technologies to aid the workflow.
- Output - The output of a CTI program, as guided by its scope and stakeholders, will include the Strategic, Operational, Technical, and Tactical forms of intelligence.
Types of Threat Intel
- Strategic - This includes the information focused on threats related to the organization’s business, geography, and operating environment. This information is usually acted upon by the senior management within the organization.
- Operational - The Operational Threat Intel focuses on flaws in the design of the organization’s technical infrastructure, and helps plan proactive actions that the security team can take to mitigate it.
- Technical - The Technical Threat Intel provides information on threats affecting various assets operated by the organization, including servers, applications, endpoints, software, etc. This plays an important role in closing security gaps and improving policies.
- Tactical - Tactical Threat Intel focuses on analyzing the tactics, techniques, and procedures (TTPs) of adversaries and learnings from industry peers and other organizations facing similar kinds of threats.
Modeling & Evaluating CTI Program Maturity
- Initial - At the initial level, the CTI program relies on informal processes, external sources of information, and lacks well-defined outcomes.
- Managed - At this level, the CTI program is more connected to the stakeholders and their requirements. Threat information is collected from internal sources while external sources are used for enrichment. Also, a basic level of information sharing practice is established within the organization.
- Repeatable - At this level, there is greater management control, regular evaluation of outcomes, and integration of Threat Intel with existing systems and processes. Through association and correlation of information on motives, capabilities, targets, and behavior of adversaries, the CTI program provides necessary recommendations for various security functions.
- Optimized - The final and highest level focuses on constant learning, optimization, and collaboration with all stakeholders for the effective use of Threat Intel for decision making and action.
Posted on: November 07, 2019
Get the Cyware Blog delivered to your email!
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.