Creating an Effective Cyber Threat Intelligence Framework

September 28, 2021 | By IANS Faculty

Rooted in data, cyber threat intelligence (CTI) provides context in terms of who is attacking you, what their motivation and capabilities are, and what indicators of compromise (IoCs) to look for in your systems to help make informed decisions about your security. This piece provides a framework designed to ensure your CTI program is effective and actionable. 

Cyber Threat Intelligence Benefits

When CTI is treated as a dedicated, focused function within a broader security program, the result is a force multiplier because it becomes integrated into a broad set of functions. 

Security teams are routinely unable to process the alerts they receive. CTI can help with this by: 

  • Integrating with current security solutions to help automatically prioritize and filter alerts and other threats. 
  • Helping vulnerability management teams more accurately prioritize the most important vulnerabilities. 
  • Enriching fraud prevention, risk analysis and other high-level security processes by providing a more thorough understanding of the current threat landscape, including key insights on threat actors, their tactics, techniques and procedures (TTPs) and more from data sources across the web. 

Cyber Threat Intelligence Framework Example 

The following is an example of a CTI procedural framework. However, an effective intelligence program is iterative, becoming more refined over time, so teams should revisit and update this as necessary. 

Step 1. Planning and Direction

The first step to producing actionable threat intelligence is to ask the right questions. The questions that best drive the creation of actionable threat intelligence focus on a single fact, event or activity (e.g., a cyber event that would have material impact on the business). Broad, open-ended questions should usually be avoided. 

Prioritize your intelligence objectives based on factors like how closely they adhere to your organization’s core values, how big of an impact the resulting decision will have and how time-sensitive the decision is. 

Step 2. Data Collection

The next step is to gather raw data that fulfills the requirements set in the first stage. It is best to collect data from a wide range of sources, including: 

  • Internal, such as network event logs and records of past incident responses. 
  • External, from the open web, the dark web and technical sources. 

The collected data can then be sent to a central SIEM for processing and analysis. 

Step 3. Data Processing 

Once all the raw data has been collected, you need to sort it, organizing it with metadata tags and filtering out redundant information or false positives and negatives. Today, even small organizations collect data on the order of millions of log events and hundreds of thousands of indicators every day. It is too much for human analysts to process efficiently. Data collection and processing must be automated (e.g., via a SIEM). 

Step 4. Data Analysis  

The next step is to make sense of the processed data. The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage. 

Threat intelligence can take many forms, depending on the initial objectives and the intended audience, but the idea is to get the data into a format the audience will understand. This can range from simple threat lists to peer-reviewed reports. 

Step 5. Dissemination of Data 

The finished product should then be distributed to its intended consumers. For threat intelligence to be actionable, it must get to the right people at the right time. Consider using ticketing systems that integrate with your other security systems to track each step of the intelligence cycle. Each time a new intelligence request comes up, tickets can be submitted, written up, reviewed and fulfilled by multiple people across different teams all in one place. 

Step 6. Feedback

The final step is when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase. After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether their questions were answered. This drives the objectives and procedures of the next intelligence cycle, again making documentation and continuity essential. 

Cyber Threat Intelligence Guidance 

Most organizations look to a CTI solution to address each of these issues. The best solutions: 

  • Use machine learning to automate data collection and processing. 
  • Integrate with your existing solutions. 
  • Take in unstructured data from disparate sources. 
  • Connect the dots by providing context on threat actor IoCs and TTPs. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Find additional resources from our security practitioners.


Learn how IANS can help you and your security team.