InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Rooted in data, cyber threat intelligence (CTI) provides context in terms of who is attacking you, what their motivation and capabilities are, and what indicators of compromise (IoCs) to look for in your systems to help make informed decisions about your
security. This piece provides a framework designed to ensure your CTI program is effective and actionable.
When CTI is treated as a dedicated, focused function within a broader security program, the result is a force multiplier because it becomes integrated into a broad set of functions.
Security teams are routinely unable to process the alerts they receive. CTI can help with this by:
The following is an example of a CTI procedural framework. However, an effective intelligence program is iterative, becoming more refined over time, so teams should revisit and update this as necessary.
The first step to producing actionable threat intelligence is to ask the right questions. The questions that best drive the creation of actionable threat intelligence focus on a single fact, event or activity (e.g., a cyber event that would have material
impact on the business). Broad, open-ended questions should usually be avoided.
Prioritize your intelligence objectives based on factors like how closely they adhere to your organization’s core values, how big of an impact the resulting decision will have and how time-sensitive the decision is.
The next step is to gather raw data that fulfills the requirements set in the first stage. It is best to collect data from a wide range of sources, including:
The collected data can then be sent to a central SIEM for processing and analysis.
Once all the raw data has been collected, you need to sort it, organizing it with metadata tags and filtering out redundant information or false positives and negatives. Today, even small organizations collect data on the order of millions of log events
and hundreds of thousands of indicators every day. It is too much for human analysts to process efficiently. Data collection and processing must be automated (e.g., via a SIEM).
The next step is to make sense of the processed data. The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage.
Threat intelligence can take many forms, depending on the initial objectives and the intended audience, but the idea is to get the data into a format the audience will understand. This can range from simple threat lists to peer-reviewed reports.
The finished product should then be distributed to its intended consumers. For threat intelligence to be actionable, it must get to the right people at the right time. Consider using ticketing systems that integrate with your other security systems to
track each step of the intelligence cycle. Each time a new intelligence request comes up, tickets can be submitted, written up, reviewed and fulfilled by multiple people across different teams all in one place.
The final step is when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase. After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether
their questions were answered. This drives the objectives and procedures of the next intelligence cycle, again making documentation and continuity essential.
Most organizations look to a CTI solution to address each of these issues. The best solutions:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
January 20, 2022
By IANS Faculty
How sound is your data governance program? It all starts with the basics. Learn how to establish a solid foundation for your data governance program.
January 18, 2022
Learn how to put a workable data management and governance process in place.
January 13, 2022
Understand how the three lines of defense work and learn how to apply it properly inside your organization.