Author: Dickie KU (HERE)
It is my belief that the majority of security practitioners understand Cyber Threat Intelligence (CTI) to be far more expansive than merely Indicators of Compromise (IOCs). However, I have observed that many organisations still lack a proper Cyber Threat Intelligence Management Framework or Program. In a common scenario, CTI functions as a unit within the Security Operations Center (SOC), with the primary consumers of Threat Intelligence being the SOC’s operations (SecOps) team. While a dedicated CTI team may not be strictly necessary, establishing a robust CTI program is essential to enhance the overall effectiveness of the Threat Intelligence function. This program is particularly crucial if the organisation has plans to build a dedicated CTI team in the future.
In this article, I will share the approach I have developed for operationalising a widely adopted CTI framework into a field-tested program. I will provide detailed insights into the key elements at each stage of this process. While the contents discussed may not be entirely novel, as they draw from the work of various experts and published sources, I will present them through the unique lens of my own practical implementation experience. My aim is to offer you a personalised perspective that can serve as a valuable guide in establishing a CTI program within your own organisation.
The ultimate goal of the CTI program is providing intelligence to stakeholder for them to make well informed decisions. As a graduated student from an Engineering School, it is easier for me to demonstrate ideas by a formula than words.
Intelligence is the result of gathering relevant data, processing and analysing it according to defined requirements, and delivering the insights to stakeholders in an agreed-upon format.
One of the most widely recognised frameworks for CTI is the CTI Lifecycle, which outlines six distinct stages in the intelligence process:
Direction & Planning
Collection
Processing & Exploitation
Analysis
Dissemination
Feedback
We can align the five stages of the CTI Lifecycle with the components in my formula of CTI program. In this model, I would position Feedback as a transitional stage, connecting the Dissemination of intelligence to the Direction & Planning for future intelligence requirements. This reflects how the collected feedback can inform and shape the next iteration of the intelligence process.
Aligning CTI program elements with the stages of the CTI Lifecycle
The interconnected nature of the stages within the CTI Lifecycle
Your Intelligence program’s maturity is based on your ability to do each part of the intelligence cycle. (Mark Arena, CEO, Intel 471)
According to Mark Arena, the CEO of Intel 471, the maturity of a CTI program is determined by an organisation’s performance across the stages of the CTI Lifecycle. Prominent industry bodies, likes CREST, have created well-established maturity assessment frameworks and these tools provide a structured way for companies to benchmark the current maturity and capabilities of their CTI programs. I will outline the key elements that I believe are necessary in each stage of the CTI Lifecycle.
Direction & Planning
Identify Stakeholders This involves determining who the key stakeholders are that need to receive and act upon the CTI insights.
Gather & Prioritise Intelligence Requirements This step focuses on understanding the specific intelligence needs and priorities of the identified stakeholders.
Create Intelligence Collection Plan Based on the intelligence requirements, an organised plan is developed to guide the collection of relevant threat data and information from various sources.
Collection
Execute Collection Plan This involves putting the intelligence collection plan into action by gathering the identified threat data and information from the selected sources.
Fill Intelligence Gaps After the initial collection, the CTI team reviews the gathered information and works to fill any remaining gaps or areas where additional data is required.
Processing & Exploitation
Filter & Transform Raw Data The collected raw data is filtered and transformed into a format that can be more easily analysed.
Data Indexing The filtered data is indexed and organised to facilitate efficient storage and retrieval.
Deduplication Redundant data is identified and removed to avoid skewing the analysis.
Contextualisation Additional context and metadata is added to the data to enhance its meaning and relevance for the intended use cases.
Analysis
Analytic Judgment This is what transforms the processed data and information into actionable, high-value threat intelligence. The analysts apply their specialised skills and domain knowledge to transform the information into intelligence that is relevant, timely, and operationally useful for the organisation/stakeholders.
Meet Intelligence Requirements The analytical results are evaluated to ensure they address the original intelligence requirements identified in earlier stages. If there are any uncertainties or gaps in the analysis, the CTI team will actively reach out to the relevant stakeholders to seek clarification and additional guidance.
Productise Analytical Results The insights and findings are packaged into appropriate intelligence products, such as reports, briefings, or alerts, for delivery to the relevant stakeholders.
Dissemination
Publish Intelligence The completed intelligence products are securely distributed to the identified stakeholders according to their needs and preferences.
Record Intelligence Products A comprehensive record of the published intelligence products is maintained for future reference and analysis.
Collect Stakeholder Feedback The CTI team actively gathers feedback from stakeholders on the relevance, usefulness, and quality of the delivered intelligence.
A digram to summarise the key activities in a CTI program
A sample workflow of the Direction & Planning phase that I developed in the past
In this article, I outlined my approach for initiating a CTI program. I recommend starting the program by initially focusing on key security stakeholders like the SOC or Chief Information Security Officer (CISO), maturing and demonstrating the program’s value before gradually expanding to serve a wider range of stakeholders across the organisation as a central Intelligence Service Centre. This is an intriguing topic that I plan to explore in more depth in my upcoming posts. Furthermore, I will explore the practical implementation details for each stage of the CTI program. This will include an in-depth look at the underlying architecture and framework required to operationalise the program effectively.