August 13, 2023
Cyber threat intelligence (CTI) has enormous potential to help security professionals make better and more efficient decisions. By providing actionable insight on the current threat landscape, intelligence helps a security function focus on what really matters.
For a CTI capability to thrive, all intelligence produced should directly address the main challenges facing a security function. For example, an organization struggling to prioritize patching efforts would benefit from intelligence on vulnerabilities being actively exploited. Developing such a stakeholder-focused approach to intelligence sounds simple in theory, however CTI teams often struggle to do this in practice as they are led astray.
This article outlines three of the most common pitfalls for CTI functions and how they can be avoided through a more intentional focus on stakeholders.
Product-driven intelligence is produced out of habit rather than stakeholder need. I.e., the main reason why these sorts of reports are produced regularly is because they have always been produced.
This pitfall often arises with standing reports (such as a weekly intelligence summary or monthly industry report). A CTI function can easily get into a comfortable rhythm, yet without measuring whether these products are being utilized or soliciting feedback.
Intelligence can also struggle when the format lands awkwardly with a particular intended audience. For example, a vulnerability exploitation report delivered via a weekly email to a vulnerability management team that largely avoids their email and conducts most of their work through alternative tools. The wrong format can dramatically increase the friction of actioning CTI reports, making it essential to capture these details as CTI teams plan key outputs.
Analyst-driven intelligence is driven by the interests and concerns of CTI analysts. Threat intelligence analysts are a passionate bunch and there are certain topics that get the CTI community very excited.
Analyst-driven reports ultimately reflect the biases and backgrounds of CTI analysts. Technical analysts might incessantly analyze novel attack techniques, even if they are highly targeted and unlikely to impact their specific organization. Likewise, a former government intelligence officer would instinctively focus on nascent geopolitical trends, even if they are unlikely to impact their organization.
CTI analysts should therefore always adjust their focus to remain aligned to threats that really matter to their organization.
Event-driven intelligence is highly reactive, with ad hoc reports developed based on headlines. Focus is often placed on the breaking news itself, rather than its impact and relevance to an organization’s security posture.
When managed incorrectly, breaking news can introduce panic and distraction into a security function. For instance, by bringing attention to vulnerabilities that are not present on an organization’s network or frequent reporting on threat actors that are not known to target an organization’s sector or region.
Instead, breaking news should be analyzed in a more structured way (i.e., assessed in relation to existing intelligence requirements and an organization’s threat profile).
Although these pitfalls pose distraction, they shouldn't be stamped out entirely. For instance, analysts should be able to respond quickly to breaking developments or utilize their interest in specific areas where appropriate. While useful influences, however, the overarching direction of a CTI team should be driven through a focus on the stakeholders within a security function and the challenges they are facing.
A Requirements-Driven Approach to Intelligence
In our recent whitepaper A Requirements-driven Approach to Cyber Threat Intelligence, we outline the essential steps a CTI team can take to ensure they effectively meet the needs of all relevant stakeholders within their organization. We offer actionable advice and practical steps on how intelligence functions can implement such an approach within their organizations.
Key aspects of this approach include:
A threat profile: This outlines the threats most likely to target an organization based on their sector and region. This helps analysts stay focused on the most relevant risks facing an organization.
Stakeholder analysis: stakeholders can be anyone who requires threat intelligence to make more informed decisions to improve security outcomes. It’s vital a CTI team documents who their stakeholders are and what are their main challenges.
Intelligence requirements: An intelligence requirement identifies a need to collect, analyze, produce, and disseminate threat intelligence.
Any CTI team can and should adopt this requirements-focused approach. It provides a CTI team with a clear direction to build sustainable success. Even for security teams that are already feeling stretched, taking the time to implement a requirements-driven approach will ultimately optimize resources, balance competing demands, and maximize efficiency.
Dr. Jamie Collier is a Senior Threat Intelligence Advisor at Mandiant, Google Cloud. He works with organizations in the EMEA region to help them understand their threat landscape and build threat intelligence capabilities. He is also active within academia as an Associate Fellow at the Royal United Services Institute (RUSI). Before joining Mandiant, he was the Cyber Threat Intelligence Team Lead at Digital Shadows and completed a PhD in Cyber Security at the University of Oxford. Jamie was previously based at MIT as a Cyber Security Fulbright Scholar and has experience working with the NATO Cooperative Cyber Defense Centre of Excellence, Oxford Analytica, and PwC India.
You May Also Like