Conversations around cyber threat intelligence (CTI) would be far more enjoyable if we stopped talking past each other all the time. I spend a lot of my time discussing CTI with security leaders and practitioners, yet am struck by how often there is misunderstanding in the conversation. People have very different views on what CTI is (or isn't). This makes it essential to understand each other and communicate the value of CTI in a clear and accessible way.
This blog explores why CTI can be such a slippery concept and how we can explain its benefits more clearly by discussing a range of threat intelligence use cases.
A breadth of use cases makes CTI applicable across a security function. However, this variety can simultaneously sow confusion:
- Anyone can be a CTI stakeholder: Threat intelligence can be utilised by a security leader, SOC analyst, or vulnerability manager. Even those outside a security function now increasingly consume CTI. For instance, there is a growing appetite to leverage CTI as part of broader risk analysis performed by governance, risk management, and compliance (GRC) teams. C-suites and boards are also engaged in strategic threat intelligence as cyber risk becomes a higher priority.
- CTI comprises a variety of products: Threat intelligence could be a PDF, an excel spreadsheet or a powerpoint presentation. Reports can be delivered on a daily, weekly, monthly, quarterly or annual basis. Threat intelligence can be shared via TIIPs, STIX, and SIEMs as well as over the phone, via email, or in person.
- Threat intelligence is consumed for multiple reasons: Stakeholders might turn to intelligence to hone their detection efforts, increase their efficiency, or gain context after a breach. CTI can be used for standing requirements, as well as ad hoc requests. It can be utilised to address some of the most complex challenges facing the security community, yet equally adept at dispelling hype after an executive reads cyber war clickbait.
CTI can therefore represent a confusing assortment of products, stakeholders, and expectations. This means there is a high chance of confusion when positioning threat intelligence. Security functions may not fully understand what they are investing in, or may pursue the wrong opportunities for their given maturity path and use cases.
All of this makes it essential to position the benefits of an intelligence-led approach in a clear and accessible way.
Framing CTI as a Process
CTI is often introduced with a definition, but I have found presenting it as a process makes the concept far more accessible. I typically frame CTI as a three-step process:
- Identify relevant threats: This includes threat activity on your own network, regional and sector-specific threats, as well as globally active threats and emerging trends.
- Take action: A variety of action items can take place after identifying relevant threats, ranging from patching actively exploited vulnerabilities, inserting security controls against prominent attack techniques, or conducting threat hunting missions against threat groups of specific concern.
- Improve security outcomes: Having taken action on relevant threats, a security function will have hardened their defences and built more resilient networks.
Framing CTI in multiple steps makes it easier to understand what an intelligence-led workflow looks like at a conceptual level. It also creates a focus on improving outcomes from the outset. The intelligence lifecycle or role of analytical techniques might be important topics in their own right, yet unlikely to interest senior decision-makers. By contrast, honing in on outcomes directly connects threat intelligence with a security function's key challenges from the first conversation.
Discussing CTI as a process also instigates a conversation on what taking action actually means for a security function and their stakeholders.
A Menu of Use Cases
The sheer breadth of threat intelligence applications can easily overwhelm an audience. But, framing CTI as a menu of use cases can help to overcome this. Security functions have a range of opportunities to utilise CTI, but it is up to them to choose which use cases (and how many) to pursue.
At a very high level, a CTI menu discussion might include an overview of tactical, operational, and strategic intelligence. I personally prefer to flip this conversation around and focus on stakeholders first. I.e. discussing the challenges facing a SOC analyst or vulnerability manager, before exploring how threat intelligence could make their lives easier. For those interested in exploring this further, I have included links to use case examples at the bottom of this article.
After countless threat intelligence conversations, I have found exploring the wide range of CTI use cases has proved the most effective approach to communicating the benefits of an intelligence-led approach.
Some security functions may decide they only want to pursue one or two CTI use cases, while others will opt for an all-you-can-eat option by integrating CTI across their entire security strategy.
A CTI menu therefore avoids being overly prescriptive or overwhelming decision-makers. This is because it is completely up to a security function to decide how they integrate CTI into their security posture. A menu of options can be scaled up or down. It gives security functions the agency to decide what works best for them.
Discussing a range of use cases also helps to capture the current state of an intelligence function, as well as how it might look in the future. For example, a security function only consuming indicators-of-compromise might decide to first expand into additional operational use cases (such as leveraging YARA rules or MITRE ATT&CK mapping). Conversely, strategic intelligence use cases (such as risk management or building awareness with senior leadership) might be viewed as a long-term aspiration.
Understanding the full spectrum of use cases therefore educates security leaders on the full possibilities of an intelligence-led approach. It helps them to visualise how they can realise additional benefits from CTI in the future.
Stepping Away from the Threats
Discussing a menu of use cases is as much a conversation about a security function's main challenges as it is about threat intelligence. In fact, the most important part of these conversations happens when threat intelligence experts stop speaking. This is because the benefits of an intelligence-led approach can only be realised when we first take the time to listen and understand stakeholders.
Focusing on use cases might not be a particularly exciting or revolutionary idea. However, I believe it is a departure from the way CTI is typically discussed, where there is an overwhelming focus on the threats themselves.
We are understandably obsessed about developments in the threat landscape in the CTI community. An in-depth understanding of active threats is a vital component of CTI while threat briefings will always have an important role. Yet, discussing threats doesn't necessarily articulate the full value of an intelligence-led approach to security.
I therefore worry there is an imbalance in the CTI community, where intelligence programme development issues don't receive the attention they deserve. You don't need to look far at a CTI conference before you find talks dissecting Chinese malware or recent ransomware tactics. By contrast, talks on engaging with stakeholders, developing effective intelligence requirements, or capturing effective feedback are often missing from conference agendas.
In short, the CTI community would benefit from becoming less insular. Rather than focusing on what we ourselves find interesting, we must spend more time engaging with the issues that are a priority for the stakeholders that we serve.