An increasing number of companies today depend on their cyberthreat intelligence (CTI) practices to stay ahead of determined attackers and an ever-expanding attack surface. In fact, 72 percent of organizations are now producing or consuming CTI data, according to Help Net Security. Statistics from EY’s “Global Information Security Survey 2018–19” show that about half of companies have developed in-house capabilities for threat intelligence collection and feeds (46 percent) and threat intelligence analysis (54 percent).

But having access to or generating CTI data doesn’t automatically translate into better insights, improved incident response or enhanced decision-making. So how can organizations squeeze the most out of their cyberthreat intelligence practices?

Maximizing a CTI function begins with identifying the stakeholders at various levels of the organization and understanding the goals of those stakeholders in making use of CTI information. What questions will CTI data help answer? How will this data be used? Once your CTI practice is off the ground, consider automating parts of the process to increase efficiency and free up human time for more strategic tasks. More mature organizations should review how actionable and accessible cyber threat information is, with the ultimate barometer being if the information is used throughout the organization during decision-making.

A Road Map to Improve Your Cyberthreat Intelligence Practices

Organizations looking for a road map to guide their cyber intelligence efforts will find great value in the “Cyber Intelligence Tradecraft Report,” published in May 2019 by the Software Engineering Institute (SEI) at Carnegie Mellon University. Full of advice for both business leaders and cyberthreat leaders, this comprehensive report not only details the state of cyber intelligence practices in the U.S., but provides a framework to guide companies looking to build or improve their existing practices, sharing insights into high-performing organizations (HPOs) along the way.

The report takes a broader view of intelligence operations, hence the use of the term “cyber intelligence” as opposed to “cyberthreat intelligence,” noting that the former includes the latter (but not vice versa).

The Cyber Intelligence Framework: What Is It and Why It Matters

The SEI report evaluated more than 30 organizations against 33 assessment factors, which were then mapped onto the five elements of the framework. The framework was created to ensure that organizations are deriving as much benefit out of their intelligence practices as possible. The five elements cover both the executive-level strategic view down to what data is collected and how value is extracted from the process:

  1. Environmental context — Ensures organizations have determined a deep understanding of their data, systems and networks, as well as their attack surface and the threats they face.

  2. Data gathering — The process and sources organizations use to generate or collect cyber intelligence data.

  3. Threat analysis — Cyber intelligence received or collected is then analyzed to derive actionable threat information that will be used by the chief information security officer (CISO) and midlevel managers.

  4. Strategic analysis — Extracts information that is relevant to executive decision-making. By its very nature, this is information that pertains to the health, reputation and profitability of the organization and is thus of vital interest to top leadership.

  5. Reporting and feedback — Covers the communication, use and feedback mechanisms required to ensure an effective — or improving — cyber intelligence process.

Most organizations have elements one through three, meaning they have determined the business context, they are able to gather data (whether through their own means or via CTI feeds) and they have some kind of threat analysis capability — again, either in-house or outsourced. However, HPOs differentiate themselves from the pack by their ability to deliver strategic-level analysis, provide timely and customized reports, and receive regular feedback from top leadership about the quality of analysis work.

Most Cyberthreat Intelligence Programs Face Challenges

So what challenges are organizations facing in optimizing their CTI programs? A 2018 report from the Healthcare Information and Management Systems Society (HIMSS) shed light on some of the major barriers facing healthcare organizations specifically.

When asked about the best ways for healthcare organizations to remediate and mitigate cybersecurity incidents, the benefits of cyber intelligence featured prominently. However, a quarter of organizations also mentioned the large number of new and emerging threats as a barrier to making effective use of CTI data as they struggle to simply keep up their analysis of this large volume of data. Other common responses included lacking either the right technologies or tools and the right level of know-how for effective use and deployment of CTI processes.

The challenges reported in the HIMSS document are echoed by the SEI report. Among the challenges holding back effective cyber intelligence processes, the SEI report mentioned:

  • The gap between technical and analytical expertise, noting that in many cases, analysts are well-versed technically, but not in intelligence analysis, or vice versa.

  • Lack of resources is contributing to situations such as using outdated tools or data feeds, or the use of systems that make it difficult to use or share relevant data internally and externally.

  • Lack of leadership buy-in, which is a vicious cycle in cases where the threat intelligence program hasn’t delivered on its promises to executives. Organizations facing this situation would strongly benefit from implementing the recommendations that follow.

Implement Best Practices for Your Cyber Intelligence Program

Among the best practices and recommendations listed in the SEI report, organizations that adopt the following would not only receive short-term benefits, but also long-term improvements, as these recommendations can help with continuous improvement efforts as well.

Develop a Fusion Center

A fusion center can help break down silos and ensure information is shared quickly with all relevant parties. Having a focus on collection management would also help the organization determine who can coordinate intelligence requirements (e.g., What questions are we looking to get answers for? What data sources should we be using to get those answers?).

Work Toward Strategic Analysis

Strategic analysis elevates threat intelligence from a technical focus to being risk-based, and provides briefings to executives containing actionable information. It is holistic in nature, and covers current and future threats, threat actors — including behaviors and evolution of their capabilities — risks and opportunities, such as those stemming from emerging technologies.

Most importantly, strategic analysis provides information that the organization should use to improve its ability to prepare, detect, respond to and recover from security incidents. As the SEI report puts it, strategic analysis produces “the right reports for your organization.” But getting to that stage will also require another key element: feedback.

Improve Reporting and Feedback

One of the most striking differentiators between high-performing organizations and other enterprises is their focus on value to the reader. More than 70 percent of HPOs had a well-defined strategy and timeline to generate their valued reports across a variety of audiences (e.g., CISO, line-of-business directors, board directors). But HPOs also stood out for having clear and regular feedback from top leadership and the board about the value of their strategic reports, including just how often the CTI reports are used when considering big decisions.

Leverage Automation

Regardless of their current CTI maturity level, most organizations can benefit from leveraging automation. However, organizations will quickly run into the challenging question of what parts of the CTI process they should automate — followed quickly by a host of detailed questions about which standards and protocols to use.

Those organizations can find many answers in the ISAO Standards Organization’s “ISAO 300-2: Automated Cyber Threat Intelligence Sharing” report, published in April 2019. The document provides technical guidelines for organizations wishing to automate the sharing or consumption of collaborative CTI data. This tactical-level document will help implementers answer the more technical questions — e.g., standards, protocols, agreements — as well as provide a detailed process list for determining what to automate.

Adopt Emerging Technologies

In addition to automation, the SEI report also highlights the benefits of adopting artificial intelligence (AI) in cyber intelligence processes, noting that many organizations are using AI and machine learning to assist human analysts, speed up and improve the collection and analysis of data, and generate customized reports for different audiences.

It further states: “Artificial intelligence using machine learning has the potential to relieve human analysts of the burden of manual tasks and free them to think critically.”

Focus on Strategic Value to the Business

As more organizations develop their intelligence practices to include cyberthreats as part of everyday decision-making, it is important to keep in mind that the value of these activities currently ranges from too technical and too tactical to be useful, all the way to strategic briefings that guide every choice. But the stakes are too high to give up, so focus on value — strategic value to the business — get frequent feedback from top leaders, and determine which technologies — such as automation and AI — you need to become a high-performing organization.

More from Intelligence & Analytics

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read