InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
Rooted in data, cyber threat intelligence (CTI) provides context in terms of who is attacking you, what their motivation and capabilities are, and what indicators of compromise (IoCs) to look for in your systems to help make informed decisions about your
security. This piece provides a framework designed to ensure your CTI program is effective and actionable.
When CTI is treated as a dedicated, focused function within a broader security program, the result is a force multiplier because it becomes integrated into a broad set of functions.
Security teams are routinely unable to process the alerts they receive. CTI can help with this by:
The following is an example of a CTI procedural framework. However, an effective intelligence program is iterative, becoming more refined over time, so teams should revisit and update this as necessary.
The first step to producing actionable threat intelligence is to ask the right questions. The questions that best drive the creation of actionable threat intelligence focus on a single fact, event or activity (e.g., a cyber event that would have material
impact on the business). Broad, open-ended questions should usually be avoided.
Prioritize your intelligence objectives based on factors like how closely they adhere to your organization’s core values, how big of an impact the resulting decision will have and how time-sensitive the decision is.
The next step is to gather raw data that fulfills the requirements set in the first stage. It is best to collect data from a wide range of sources, including:
The collected data can then be sent to a central SIEM for processing and analysis.
Once all the raw data has been collected, you need to sort it, organizing it with metadata tags and filtering out redundant information or false positives and negatives. Today, even small organizations collect data on the order of millions of log events
and hundreds of thousands of indicators every day. It is too much for human analysts to process efficiently. Data collection and processing must be automated (e.g., via a SIEM).
The next step is to make sense of the processed data. The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage.
Threat intelligence can take many forms, depending on the initial objectives and the intended audience, but the idea is to get the data into a format the audience will understand. This can range from simple threat lists to peer-reviewed reports.
The finished product should then be distributed to its intended consumers. For threat intelligence to be actionable, it must get to the right people at the right time. Consider using ticketing systems that integrate with your other security systems to
track each step of the intelligence cycle. Each time a new intelligence request comes up, tickets can be submitted, written up, reviewed and fulfilled by multiple people across different teams all in one place.
The final step is when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase. After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether
their questions were answered. This drives the objectives and procedures of the next intelligence cycle, again making documentation and continuity essential.
Most organizations look to a CTI solution to address each of these issues. The best solutions:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.